ad453a2c73
17 changes to exploits/shellcodes CONTPAQi(R) AdminPAQ 14.0.0 - Unquoted Service Path Mozilla Firefox 67 - Array.pop JIT Type Confusion Fetch Softworks Fetch FTP Client 5.8 - Remote CPU Consumption (Denial of Service) Ametys CMS v4.4.1 - Cross Site Scripting (XSS) uBidAuction v2.0.1 - 'Multiple' Cross Site Scripting (XSS) Chamilo LMS 1.11.14 - Account Takeover Wordpress Plugin Download Monitor WordPress V 4.4.4 - SQL Injection (Authenticated) WordPress Plugin Domain Check 1.0.16 - Reflected Cross-Site Scripting (XSS) (Authenticated) Wordpress Plugin 404 to 301 2.0.2 - SQL-Injection (Authenticated) PHP Restaurants 1.0 - SQLi (Unauthenticated) Moodle 3.11.4 - SQL Injection Huawei DG8045 Router 1.0 - Credential Disclosure PHP Unit 4.8.28 - Remote Code Execution (RCE) (Unauthenticated) WordPress Plugin Contact Form Check Tester 1.0.2 - Broken Access Control WordPress Plugin Product Slider for WooCommerce 1.13.21 - Cross Site Scripting (XSS) WordPress Plugin Post Grid 2.1.1 - Cross Site Scripting (XSS) WordPress Plugin Learnpress 4.1.4.1 - Arbitrary Image Renaming
21 lines
No EOL
714 B
Text
21 lines
No EOL
714 B
Text
# Exploit Title: WordPress Plugin Contact Form Check Tester 1.0.2 - Broken Access Control
|
|
# Date: 2/28/2021
|
|
# Author: 0xB9
|
|
# Software Link: https://wordpress.org/plugins/contact-fo...ck-tester/
|
|
# Version: 1.0.2
|
|
# Tested on: Windows 10
|
|
# CVE: CVE-2021-24247
|
|
|
|
1. Description:
|
|
The plugin settings are visible to all registered users in the dashboard.
|
|
A registered user can leave a payload in the plugin settings.
|
|
|
|
2. Proof of Concept:
|
|
- Register an account
|
|
- Navigate to the dashboard
|
|
- Go to CF7 Check Tester -> Settings
|
|
- Add a form
|
|
- Add a field to the form
|
|
- Put in a payload in either Field selector or Field value "><script>alert(1)</script>
|
|
- Save
|
|
Anyone who visits the settings page will execute the payload. |