WordPress Plugin Sell Downloads 1.0.86 – Cross-Site Scripting

Exploit Database
90 阅读

作者： Mr Winst0n

日期： 2019-09-09
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/47369/

# Exploit Title: WordPress Plugin Sell Downloads 1.0.86 - Cross Site Scripting
# Exploit Author: Mr Winst0n
# Author E-mail: manamtabeshekan@gmail.com
# Discovery Date: September 09,2019
# Vendor Homepage: https://wordpress.dwbooster.com/content-tools/sell-downloads
# Software Link : https://wordpress.org/plugins/sell-downloads/
# Tested Version: 1.0.86
# Tested on: Parrot OS, WordPress 5.1.1


# PoC:
1- Go to "Products for Sale" section
2- Click on "Add New"
3- In opend window click on "Add Comment"
4- Fill comment as "/><img src=x onerror="alert()"> or "/><input type="text" onclick="alert()">
5- Click on "Publish" (or "Update" if you editing an existing product)
6- You will see a pop-up (also if click on input), Also if you go to product link will see the pop-up.

last Exploits
WordPress Plugin Sell Downloads 1.0.86 – Cross-Site Scripting的更多信息

D-Link DIR-850L Wireless AC1200 Dual Band Gigabit Cloud Router – Authentication Bypass：
User Management System 2.0 – Authentication Bypass：
Visual Tools DVR VX16 4.2.28.0 – OS Command Injection (Unauthenticated)：
Hot or Not Picture Rating Script – SQL Injection：
Advanced Electron Forum 1.0.9 – Persistent Cross-Site Scripting：
UBBCentral UBB.Threads 7.5.6 – ‘Username’ Cross-Site Scripting：
RTTucson Quotations Database Script – Authentication Bypass：
Fw-BofF (oolime-resurrection) 1.5.3beta – Multiple Remote File Inclusions：