# Exploit Title: WordPress Plugin Slider by Soliloquy 2.6.2 - 'title' Stored Cross Site Scripting (XSS) (Authenticated)# Date: 02/12/2021# Exploit Author: Abdurrahman Erkan (@erknabd)# Vendor Homepage: https://soliloquywp.com/# Software Link: https://wordpress.org/plugins/soliloquy-lite/# Version: 2.6.2# Tested on: Kali Linux 2021 - Firefox 78.7, Windows 10 - Brave 1.32.113, WordPress 5.8.2# Proof of Concept:## 1- Install and activate the Slider by Soliloquy 2.6.2 plugin.# 2- Open Soliloquy and use "Add New" button to add new post.# 3- Add payload to title. Payload: <script>alert(document.cookie)</script># 4- Add any image in post.# 5- Publish the post.# 6- XSS has been triggered.## Go to this url "http://localhost/wp-admin/post.php?post=1&action=edit" XSS will trigger. - For wordpress users.# Go to this url "http://localhost/?post_type=soliloquy&p=1" XSS will trigger. - For normal users.
