WordPress Motopress Hotel Booking Lite 4.4.2 Cross Site Scripting

2022.09.28

Credit: Ali Alipour

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

# Exploit Title: WordPress Plugin Motopress Hotel Booking Lite 4.4.2 - Stored Cross-Site Scripting (XSS)
# Date: 2022-09-28
# Exploit Author: Ali Alipour
# Vendor Homepage: https://motopress.com/
# Software Link: https://wordpress.org/plugins/motopress-hotel-booking-lite/
# Version: 4.4.2
# Tested on: Windows 10 Pro x64 - XAMPP Server
# CVE : N/A


PoC:

1: Install Latest WordPress

2: Install and activate Latest Motopress Hotel Booking Lite (4.4.2).

3: Navigate to Accommodation >> Services.

4: Click on "Add New" button And Enter the JavaScript Payload in the Title Field : ( "><script>alert("XSS")</script> )

5:Click on the publish button.

6. Visit http://localhost/wp/services/

7. XSS payload execute.

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

WordPress Motopress Hotel Booking Lite 4.4.2 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.