WordPress Tagregator 0.6 Plugin - Cross-Site Scripting Vulnerability

2018-08-20T00:00:00
ID 1337DAY-ID-30917
Type zdt
Reporter ManhNho
Modified 2018-08-20T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            # Exploit Title: WordPress Plugin Tagregator 0.6 - Cross-Site Scripting
# Exploit Author: ManhNho
# Vendor Homepage: https://wordpress.org/plugins/tagregator/
# Software Link: https://downloads.wordpress.org/plugin/tagregator.0.6.zip
# Ref: https://pastebin.com/ZGr5tyP2
# Version: 0.6
# Tested on: CentOS 6.5
# CVE : CVE-2018-10752
# Category : Webapps
 
# 1. Description
# WordPress Plugin Tagregator 0.6 - Stored XSS
 
# 2. Proof of Concept
 
1. Login to admin panel
2. Access to Wordpress Tagregator setting, then choose Tweets/Instagram
Media/Flickr Post/Google+ Activities and click "Add New" button
3. In title field, inject XSS pattern such as:
    <script>alert('xss')</script> and click Preview button
4. This site will response url that will alert popup named xss
5. Send this xss url to another administrators, we have same alert

#  0day.today [2018-08-20]  #