Search...

WordPress Tagregator 0.6 Cross Site Scripting

2018-08-21T00:00:00

ID PACKETSTORM:149016
Type packetstorm
Reporter ManhNho
Modified 2018-08-21T00:00:00

Description

                                        
                                            `# Exploit Title: WordPress Plugin Tagregator 0.6 - Cross-Site Scripting  
# Date: 2018-05-05  
# Exploit Author: ManhNho  
# Vendor Homepage: https://wordpress.org/plugins/tagregator/  
# Software Link: https://downloads.wordpress.org/plugin/tagregator.0.6.zip  
# Ref: https://pastebin.com/ZGr5tyP2  
# Version: 0.6  
# Tested on: CentOS 6.5  
# CVE : CVE-2018-10752  
# Category : Webapps  
  
# 1. Description  
# WordPress Plugin Tagregator 0.6 - Stored XSS  
  
# 2. Proof of Concept  
  
1. Login to admin panel  
2. Access to Wordpress Tagregator setting, then choose Tweets/Instagram  
Media/Flickr Post/Google+ Activities and click "Add New" button  
3. In title field, inject XSS pattern such as:  
&lt;script&gt;alert('xss')&lt;/script&gt; and click Preview button  
4. This site will response url that will alert popup named xss  
5. Send this xss url to another administrators, we have same alert  
  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:149016", "bulletinFamily": "exploit", "title": "WordPress Tagregator 0.6 Cross Site Scripting", "description": "", "published": "2018-08-21T00:00:00", "modified": "2018-08-21T00:00:00", "cvss": {"score": 3.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://packetstormsecurity.com/files/149016/WordPress-Tagregator-0.6-Cross-Site-Scripting.html", "reporter": "ManhNho", "references": [], "cvelist": ["CVE-2018-10752"], "type": "packetstorm", "lastseen": "2018-08-21T09:58:04", "history": [], "edition": 1, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "aea6619231980d2617cc744d5c2860d8"}, {"key": "cvss", "hash": "d16a1892885a4cedfc7b1d4344ffb50d"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "5684d0ab639fa28c9e5f66fda765fa22"}, {"key": "modified", "hash": "6f586672e78b66cbe067ed44d52efefb"}, {"key": "published", "hash": "6f586672e78b66cbe067ed44d52efefb"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "66b62f7df73b9a73b8fe83a45f6bd096"}, {"key": "sourceData", "hash": "3879a806adacb90d85c0b996c5559001"}, {"key": "sourceHref", "hash": "ba8a2a2e4228145b149026141fc22fe7"}, {"key": "title", "hash": "f667045419b30fd6f348206055a08eab"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "hash": "5025c5e7012401c808699bae55198f58ab43dc7c728270b169fd8c55aa15dea4", "viewCount": 26, "enchantments": {"score": {"value": 3.4, "vector": "NONE", "modified": "2018-08-21T09:58:04"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-10752"]}, {"type": "exploitdb", "idList": ["EDB-ID:45225"]}, {"type": "zdt", "idList": ["1337DAY-ID-30917"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:9526"]}], "modified": "2018-08-21T09:58:04"}, "vulnersScore": 3.4}, "objectVersion": "1.3", "sourceHref": "https://packetstormsecurity.com/files/download/149016/wptagregator06-xss.txt", "sourceData": "`# Exploit Title: WordPress Plugin Tagregator 0.6 - Cross-Site Scripting \n# Date: 2018-05-05 \n# Exploit Author: ManhNho \n# Vendor Homepage: https://wordpress.org/plugins/tagregator/ \n# Software Link: https://downloads.wordpress.org/plugin/tagregator.0.6.zip \n# Ref: https://pastebin.com/ZGr5tyP2 \n# Version: 0.6 \n# Tested on: CentOS 6.5 \n# CVE : CVE-2018-10752 \n# Category : Webapps \n \n# 1. Description \n# WordPress Plugin Tagregator 0.6 - Stored XSS \n \n# 2. Proof of Concept \n \n1. Login to admin panel \n2. Access to Wordpress Tagregator setting, then choose Tweets/Instagram \nMedia/Flickr Post/Google+ Activities and click \"Add New\" button \n3. In title field, inject XSS pattern such as: \n<script>alert('xss')</script> and click Preview button \n4. This site will response url that will alert popup named xss \n5. Send this xss url to another administrators, we have same alert \n \n`\n"}

{"cve": [{"lastseen": "2019-05-29T18:19:42", "bulletinFamily": "NVD", "description": "The Tagregator plugin 0.6 for WordPress has stored XSS via the title field in an Add New action.", "modified": "2019-03-07T19:08:00", "id": "CVE-2018-10752", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10752", "published": "2018-05-05T02:29:00", "title": "CVE-2018-10752", "type": "cve", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}], "exploitdb": [{"lastseen": "2018-08-20T19:45:09", "bulletinFamily": "exploit", "description": "WordPress Plugin Tagregator 0.6 - Cross-Site Scripting. CVE-2018-10752. Webapps exploit for PHP platform", "modified": "2018-08-20T00:00:00", "published": "2018-08-20T00:00:00", "id": "EDB-ID:45225", "href": "https://www.exploit-db.com/exploits/45225/", "type": "exploitdb", "title": "WordPress Plugin Tagregator 0.6 - Cross-Site Scripting", "sourceData": "# Exploit Title: WordPress Plugin Tagregator 0.6 - Cross-Site Scripting\r\n# Date: 2018-05-05\r\n# Exploit Author: ManhNho\r\n# Vendor Homepage: https://wordpress.org/plugins/tagregator/\r\n# Software Link: https://downloads.wordpress.org/plugin/tagregator.0.6.zip\r\n# Ref: https://pastebin.com/ZGr5tyP2\r\n# Version: 0.6\r\n# Tested on: CentOS 6.5\r\n# CVE : CVE-2018-10752\r\n# Category : Webapps\r\n\r\n# 1. Description\r\n# WordPress Plugin Tagregator 0.6 - Stored XSS\r\n\r\n# 2. Proof of Concept\r\n\r\n1. Login to admin panel\r\n2. Access to Wordpress Tagregator setting, then choose Tweets/Instagram\r\nMedia/Flickr Post/Google+ Activities and click \"Add New\" button\r\n3. In title field, inject XSS pattern such as:\r\n <script>alert('xss')</script> and click Preview button\r\n4. This site will response url that will alert popup named xss\r\n5. Send this xss url to another administrators, we have same alert", "cvss": {"score": 3.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/45225/"}], "zdt": [{"lastseen": "2018-08-20T20:26:59", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2018-08-20T00:00:00", "published": "2018-08-20T00:00:00", "id": "1337DAY-ID-30917", "href": "https://0day.today/exploit/description/30917", "title": "WordPress Tagregator 0.6 Plugin - Cross-Site Scripting Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: WordPress Plugin Tagregator 0.6 - Cross-Site Scripting\r\n# Exploit Author: ManhNho\r\n# Vendor Homepage: https://wordpress.org/plugins/tagregator/\r\n# Software Link: https://downloads.wordpress.org/plugin/tagregator.0.6.zip\r\n# Ref: https://pastebin.com/ZGr5tyP2\r\n# Version: 0.6\r\n# Tested on: CentOS 6.5\r\n# CVE : CVE-2018-10752\r\n# Category : Webapps\r\n \r\n# 1. Description\r\n# WordPress Plugin Tagregator 0.6 - Stored XSS\r\n \r\n# 2. Proof of Concept\r\n \r\n1. Login to admin panel\r\n2. Access to Wordpress Tagregator setting, then choose Tweets/Instagram\r\nMedia/Flickr Post/Google+ Activities and click \"Add New\" button\r\n3. In title field, inject XSS pattern such as:\r\n <script>alert('xss')</script> and click Preview button\r\n4. This site will response url that will alert popup named xss\r\n5. Send this xss url to another administrators, we have same alert\n\n# 0day.today [2018-08-20] #", "cvss": {"score": 3.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://0day.today/exploit/30917"}], "wpvulndb": [{"lastseen": "2019-11-28T00:46:18", "bulletinFamily": "software", "description": "WordPress Vulnerability - Tagregator <= 0.6 - Stored XSS\n", "modified": "2019-11-27T00:00:00", "published": "2019-08-21T00:00:00", "id": "WPVDB-ID:9526", "href": "https://wpvulndb.com/vulnerabilities/9526", "type": "wpvulndb", "title": "Tagregator <= 0.6 - Stored XSS", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}]}