Lucene search
Bastijn Ouwendijk1337DAY-ID-36322HistoryJun 01, 2021 - 12:00 a.m.
WordPress WP Prayer v1.6.1 Plugin - (prayer_messages) Stored Cross-Site Scripting Vulnerability
2021-06-0100:00:00
Bastijn Ouwendijk
0day.today
21
wordpress
plugin
prayer
cross-site scripting
vulnerability
authenticated
exploit
homepage
software
version
windows 10
proof
payload
alert
EPSS
0.001
Percentile
19.8%
# Exploit Title: WordPress Plugin WP Prayer version 1.6.1 - 'prayer_messages' Stored Cross-Site Scripting (XSS) (Authenticated)
# Exploit Author: Bastijn Ouwendijk
# Vendor Homepage: http://goprayer.com/
# Software Link: https://wordpress.org/plugins/wp-prayer/
# Version: 1.6.1 and earlier
# Tested on: Windows 10
# Proof: https://bastijnouwendijk.com/cve-2021-24313/
Steps to exploit this vulnerability:
1. Log into the WordPress website with a user account, can be a user with any role
2. Go to the page where prayer or praise request can be made and fill in the requested information
3. In the 'prayer_messages' field of the prayer request form put the payload: <script>alert("XSS")</script>
4. Submit the form
5. Go to the page where the prayer requests are listed
6. The prayer requests are loaded and an alert is shown with text 'XSS' in the browser
Related
wpvulndb
wpvulndb
WP Prayer < 1.6.2 - Authenticated Stored Cross-Site Scripting (XSS)
2021-05-17 00:00:00
cnvd
cnvd
WordPress WP Prayer plugin cross-site scripting vulnerability
2021-06-03 00:00:00
patchstack
patchstack
packetstorm
packetstorm
WordPress WP Prayer 1.6.1 Cross Site Scripting
2021-06-01 00:00:00
cvelist
cvelist
wpexploit
wpexploit
WP Prayer < 1.6.2 - Authenticated Stored Cross-Site Scripting (XSS)
2021-05-17 00:00:00
prion
prion
Input validation
2021-06-01 14:15:00
cve
cve
CVE-2021-24313
2021-06-01 14:15:08
nvd
nvd
CVE-2021-24313
2021-06-01 14:15:08
exploitdb
exploitdb