Wordpress wp-recipe-maker Cross Site Scripting

2024.02.01

H4X Forensics - diyar (IQ)

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: 79

Dork: [N/A]

# Exploit Title: [wp-recipe-maker Cross Site Scripting]
# Google Dork: [N/A]
# Date: [31/1/2024]
# Exploit Author: [H4X.Forensics - Diyar]
# Vendor Homepage: [ https://wordpress.org/plugin]
# Software Link: [ https://downloads.wordpress.org/plugin/wp-recipe-maker.zip]
# Version: [6.4.2] (6.4.2)
# Tested on: [Windows]
# CVE : N/A
Vulnerable Code :

?>
<a href="<?php echo esc_url( $back_link ); ?>" id="wprm-print-button-back" class="wprm-print-button"><?php _e( 'Go Back', 'wp-recipe-maker' );?></a>
<?php

Exploit : 

Click wp-recipe-maker 
Click create recipe
From video section click embed video 
Insert this payload : <video src=1 href=1 onerror="javascript:alert(1)"></video>
Click save and close .
7lick print button 
Alert Message will pop-up



Sent with Proton Mail secure email.

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Wordpress wp-recipe-maker Cross Site Scripting

Dork: [N/A]

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.