iLive <= 1.0.4 - Stored Cross-Site Scripting (XSS)

2019-07-09T00:00:00
ID WPVDB-ID:9444
Type wpvulndb
Reporter m0ze
Modified 2019-11-27T00:00:00

Description

WordPress Vulnerability - iLive <= 1.0.4 - Stored Cross-Site Scripting (XSS) Go to the demo website http://www.ilive.wpapplab.com/ and open chat window by clicking on «Chat» icon on the bottom right corner. Use your payload inside input field and press [Enter]. Provided example payloads working on the admin area, so it's possible to steal admin cookies or force a redirect to any other website. To check your XSS Injections log in http://www.ilive.wpapplab.com/wp-admin/ with provided credentials (operator1 / Operator_1, operator2 / Operator_2, operator3 / Operator_3) and go to this page http://www.ilive.wpapplab.com/wp-admin/admin.php?page=ilive-chat-page then select your chat alias from the list. Keep in mind that there is 3 demo operators, so you must log in as operator assigned to your chat (operator number will be available after you send the first message in chat). Example #1: Example #2: Example #3: Example #4: Example #5: