WordPress Slider By Soliloquy 2.6.2 Cross Site Scripting

2021.12.04

Credit: Abdurrahman Erkan

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

# Exploit Title: WordPress Plugin Slider by Soliloquy 2.6.2 - 'title' Stored Cross Site Scripting (XSS) (Authenticated)
# Date: 02/12/2021
# Exploit Author: Abdurrahman Erkan (@erknabd)
# Vendor Homepage: https://soliloquywp.com/
# Software Link: https://wordpress.org/plugins/soliloquy-lite/
# Version: 2.6.2
# Tested on: Kali Linux 2021 - Firefox 78.7, Windows 10 - Brave 1.32.113, WordPress 5.8.2

# Proof of Concept:
#
# 1- Install and activate the Slider by Soliloquy 2.6.2 plugin.
# 2- Open Soliloquy and use "Add New" button to add new post.
# 3- Add payload to title. Payload: <script>alert(document.cookie)</script>
# 4- Add any image in post.
# 5- Publish the post.
# 6- XSS has been triggered.
#
# Go to this url "http://localhost/wp-admin/post.php?post=1&action=edit" XSS will trigger. - For wordpress users.
# Go to this url "http://localhost/?post_type=soliloquy&p=1" XSS will trigger. - For normal users.

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

WordPress Slider By Soliloquy 2.6.2 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.