Automattic: Reflected XSS on a Atavist theme at external_import.php

Summary: Hi team, I found this php file https://magazine.atavist.com/static/externalimport.php , and there is a parameter called scripts on this php file. Basically, the endpoint prints value of scripts parameter to . So we can import any script file like that :...

Automattic: Site-wide CSRF at Atavist

Summary: Hi team, I have a Atavist Magazine account. And there are no CSRF tokens on account settings. For example ; - When changing email there is a user ID but they are sequential : F936597 - Deleting credit card : F936618 - Cancelling subscription :...

Automattic: Can buy Atavist Magazine subscription for free

Summary: Hi team If you go to https://magazine.atavist.com/ and scroll down. You will see membership price is $25, but I found a way to buy this subscription for free via Gift feature. When you send gift request before adding any credit card to your account you will see this response : F936531...

Automattic: IDOR when editing email leads to Account Takeover on Atavist

Summary: Hi team, I created an account on Atavist and checked my settings page. I can change my email at https://magazine.atavist.com/cms/reader/account with this request : F936117 And as you can see, there is a id parameter on request data. It's our user ID, and it's vulnerable for IDOR. So we c...

Automattic: Reflected XSS at /category/ on a Atavis theme

Summary: Hi team, This report is similar to 947790 You fixed the XSS on search, but I found another XSS at /category/xsspayload For PoC you can check these URLs : https://magazine.atavist.com/category/%22%3E%3Csvg%20onload%3Dalert%60XSS%60%3E...

Automattic: Reflected XSS on a Atavist theme

Summary: Hi team, I found Reflected XSS at a Atavist theme and there are a lot of affected websites. I don't know the theme's name but it's in use at https://magazine.atavist.com/ Just write alertdocument.domain to search field...