881542919e
7 changes to exploits/shellcodes/ghdb DataEase 2.4.0 - Database Configuration Information Exposure Palo Alto Networks Expedition 1.2.90.1 - Admin Account Takeover Watcharr 1.43.0 - Remote Code Execution (RCE) WBCE CMS 1.6.3 - Authenticated Remote Code Execution (RCE) Backup and Staging by WP Time Capsule 1.22.21 - Unauthenticated Arbitrary File Upload Reservit Hotel 2.1 - Stored Cross-Site Scripting (XSS)
23 lines
No EOL
980 B
Text
23 lines
No EOL
980 B
Text
# Exploit Title: Reservit Hotel < 3.0 - Admin+ Stored XSS
|
|
# Date: 2024-10-01
|
|
# Exploit Author: Ilteris Kaan Pehlivan
|
|
# Vendor Homepage: https://wpscan.com/plugin/reservit-hotel/
|
|
# Version: Reservit Hotel 2.1
|
|
# Tested on: Windows, WordPress, Reservit Hotel < 3.0
|
|
# CVE : CVE-2024-9458
|
|
|
|
The plugin does not sanitise and escape some of its settings, which could
|
|
allow high privilege users such as admin to perform Stored Cross-Site
|
|
Scripting attacks even when the unfiltered_html capability is disallowed
|
|
(for example in multisite setup).
|
|
|
|
1. Install and activate Reservit Hotel plugin.
|
|
2. Go to Reservit hotel > Content
|
|
3. Add the following payload to the Button text > French field sane save: "
|
|
style=animation-name:rotation onanimationstart=alert(/XSS/)//
|
|
4. The XSS will trigger upon saving and when any user will access the
|
|
content dashboard again
|
|
|
|
References:
|
|
https://wpscan.com/vulnerability/1157d6ae-af8b-4508-97e9-b9e86f612550/
|
|
https://www.cve.org/CVERecord?id=CVE-2024-9458 |