MyBB Trending Widget Plugin 1.2 – Cross-Site Scripting

• Exploit Database
• 17 阅读

• 作者： 0xB9
  日期： 2021-02-01
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49504/

• # Exploit Title: MyBB Trending Widget Plugin 1.2 - Cross-Site Scripting
  # Date: 11/28/2018
  # Author: 0xB9
  # Software Link: https://github.com/zainali99/trends-widget
  # Version: 1.2
  # Tested on: Windows 10
  
  1. Description:
  This plugin shows the most trending threads. Trending thread titles aren't sanitized to user input.
  
  2. Proof of Concept:
  
  - Have a trending thread in the widget
  - Change the thread title to a payload <script>alert('XSS')</script>
  Anyone that visits the forum will execute payload