WordPress Plugin Admin Bar & Dashboard Access Control Version: 1.2.8 – “Dashboard Redirect” field Stored Cross-Site Scripting (XSS)

• Exploit Database
• 47 阅读

• 作者： Rachit Arora
  日期： 2024-02-28
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51831/

• # Exploit Title:  WordPress Plugin Admin Bar & Dashboard Access Control Version: 1.2.8 - "Dashboard Redirect" field  Stored Cross-Site Scripting (XSS)
  # Google Dork: NA
  # Date: 28/10/2023
  # Exploit Author: Rachit Arora
  # Vendor Homepage: 
  # Software Link:  https://wordpress.org/plugins/admin-bar-dashboard-control/
  # Version: 1.2.8
  # Category: Web Application
  # Tested on: Windows
  # CVE : 2023-47184
  
  
  1. Install WordPress (latest)
  
  2. Install and activate Admin Bar & Dashboard Access Control.
  
  3. Navigate to "Admin Bar & Dash"  >> Under Dashboard Access and in the "Dashboard Redirect" enter the payload into the input field.
  
  "onfocusin=alert``+autofocus>
  "onfocusin=alert`document.domain`+autofocus>
  
  4. You will observe that the payload successfully got stored  and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.