WordPress Plugin Payments Plugin | GetPaid 2.4.6 – HTML Injection

• Exploit Database
• 13 阅读

• 作者： Niraj Mahajan
  日期： 2021-09-01
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50246/

• # Exploit Title: WordPress Plugin Payments Plugin | GetPaid 2.4.6 - HTML Injection
  # Date: 29/08/2021
  # Exploit Author: Niraj Mahajan
  # Software Link: https://wordpress.org/plugins/invoicing/
  # Version: 2.4.6
  # Tested on Windows
  
  *Steps to Reproduce:*
  1. Install WordPress 5.8
  2. Install and Activate "WordPress Payments Plugin | GetPaid" Version 2.4.6
  3. Navigate to GetPaid > Payment Forms
  4. Click on "Add New" in the Payment Form page
  5. Add a title and Click on Billing Email
  6. You can see the "Help Text" field on the left hand side.
  7. Add the below HTML code into the "Help Text" Field.
  <img src="https://www.exploit-db.com/exploits/50246/
  https://www.pandasecurity.com/en/mediacenter/src/uploads/2019/07/pandasecurity-How-do-hackers-pick-their-targets.jpg"
  height="200px" width="200px">
  8. You will observe that the HTML code has successfully got stored into the database and executed successfully and we are getting an Image at the right hand side.