Wordpress agp font awesome collection Stored XSS

2015.12.10
Credit: ALIREZA_PROMIS
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

#################################################### # Exploit Title: Wordpress agp font awesome collection Stored XSS # Date: 2015/dec/27 # Exploit Author: ALIREZA_PROMIS # Vendor Homepage: https://wordpress.org/plugins/agp-font-awesome-collection/ # Software Link: https://downloads.wordpress.org/plugin/agp-font-awesome-collection.zip # Version: 2.7.1 # Tested on: windows 7 / FireFox #################################################### #Exploitation : For Exploiting This Vulnerability You Should Install "agp font awesome collection" Add details : http://site/wp-admin/post-new.php?post_type=fac-sliders In "Headline" or "Description:" or "Link URL" textbox Can Input Place Your JavaScript Code aftert "> and click on "update" . #Example : "><script>alert("your Javascript code here ");</script> #javascript execute 1 - in edit page : http://site/wp-admin/post.php?post=[post_id]&action=edit 2 - in post page : Click on "view Post" in edit page for find url of post . { you can steal admin cookie with moderator access } #################################################### # Special Thanks: Sajjad Sotoudeh # http://iransec.net/forums # Mr.Moein , sheytan azzam , Mr.PERSIA , HellBoy.Blackhat # Jok3r , Kamran Helish , Dr.RooT # # # [+] fb.com/alirezapomis.blackhat ####################################################


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top