dfb28913d0
7 changes to exploits/shellcodes Asus GameSDK v1.0.0.4 - 'GameSDK.exe' Unquoted Service Path rpc.py 0.6.0 - Remote Code Execution (RCE) Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) - Remote Code Execution Geonetwork 4.2.0 - XML External Entity (XXE) Dingtian-DT-R002 3.1.276A - Authentication Bypass Carel pCOWeb HVAC BACnet Gateway 2.1.0 - Directory Traversal WordPress Plugin WP-UserOnline 2.87.6 - Stored Cross-Site Scripting (XSS)
15 lines
No EOL
821 B
Text
15 lines
No EOL
821 B
Text
# Exploit Title: WordPress Plugin WP-UserOnline 2.87.6 - Stored Cross-Site Scripting (XSS)
|
|
# Date: 21/07/2022
|
|
# Exploit Author: Steffin Stanly
|
|
# Vendor Homepage: https://github.com/lesterchan/wp-useronline
|
|
# Software Link: https://wordpress.org/plugins/wp-useronline/
|
|
# Version: <=2.87.6
|
|
# Tested on Windows
|
|
|
|
How to reproduce vulnerability:
|
|
|
|
1. Install WordPress 6.0.1
|
|
2. Install and activate WP-UserOnline plugin.
|
|
3. Navigate to Setting >> WP-UserOnline and enter the data into the User(s) Browsing Site.
|
|
4. Add the following payload "><script>alert(1)</script> and save changes
|
|
5. On visiting the dashboard, You will observe that the payload successfully got stored in the database and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up. |