WordPress Slider By Soliloquy 2.6.2 Cross Site Scripting

2021.12.04
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Exploit Title: WordPress Plugin Slider by Soliloquy 2.6.2 - 'title' Stored Cross Site Scripting (XSS) (Authenticated) # Date: 02/12/2021 # Exploit Author: Abdurrahman Erkan (@erknabd) # Vendor Homepage: https://soliloquywp.com/ # Software Link: https://wordpress.org/plugins/soliloquy-lite/ # Version: 2.6.2 # Tested on: Kali Linux 2021 - Firefox 78.7, Windows 10 - Brave 1.32.113, WordPress 5.8.2 # Proof of Concept: # # 1- Install and activate the Slider by Soliloquy 2.6.2 plugin. # 2- Open Soliloquy and use "Add New" button to add new post. # 3- Add payload to title. Payload: <script>alert(document.cookie)</script> # 4- Add any image in post. # 5- Publish the post. # 6- XSS has been triggered. # # Go to this url "http://localhost/wp-admin/post.php?post=1&action=edit" XSS will trigger. - For wordpress users. # Go to this url "http://localhost/?post_type=soliloquy&p=1" XSS will trigger. - For normal users.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top