a7e24bac97
5 changes to exploits/shellcodes Xlight FTP 3.9.3.1 - Buffer Overflow (PoC) Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade Local Privilege Escalation WordPress Plugin WP Symposium Pro 2021.10 - 'wps_admin_forum_add_name' Stored Cross-Site Scripting (XSS) WordPress Plugin AccessPress Social Icons 1.8.2 - 'icon title' Stored Cross-Site Scripting (XSS) Mumara Classic 2.93 - 'license' SQL Injection (Unauthenticated)
18 lines
No EOL
814 B
Text
18 lines
No EOL
814 B
Text
# Exploit Title: WordPress Plugin AccessPress Social Icons 1.8.2 - 'icon title' Stored Cross-Site Scripting (XSS)
|
|
# Date: 11/12/2021
|
|
# Exploit Author: Murat DEMIRCI (@butterflyhunt3r)
|
|
# Vendor Homepage: https://accesspressthemes.com/
|
|
# Software Link: https://wordpress.org/plugins/accesspress-social-icons/
|
|
# Version: 1.8.2
|
|
# Tested on : Windows 10
|
|
|
|
#Poc:
|
|
|
|
1. Install Latest WordPress
|
|
2. Install and activate AccessPress Social Icons 1.8.2
|
|
3. Open plugin on the left frame and keep going "add new" field. Click "Choose icon indiviually" and fill other fields.
|
|
4. Enter JavaScript payload which is mentioned below into 'icon title' field and "Add Icon to list".
|
|
|
|
<img src=x onerror=confirm('xss')>
|
|
|
|
4. You will observe that the payload successfully got stored into the database and alert will be seen on the screen. |