WordPress WP-Faktur 4.3.1 Scripting Lintas Situs

  • Whatsapp
Sistem Manajemen Pasien Chikitsa 2.0.2 Eksekusi Kode Jarak Jauh Plugin
Sistem Manajemen Pasien Chikitsa Eksekusi Kode Jarak Jauh Plugin

News.nextcloud.asia

Plugin WordPress WP-Faktur versi 4.3.1 mengalami kerentanan skrip lintas situs yang persisten.

SHA-256 | 1198ae90a0a19ceea8037a4ba1f3a90e0f447c7505ff7bf4fad7fd12b756e2b3

# Exploit Title: WordPress Plugin  WP-Invoice - Stored Cross Site Scripting
# Date: 25-04-2022
# Exploit Author: Mariam Tariq - HunterSherlock
# Vendor Homepage: https://wordpress.org/plugins/WP-Invoice/
# Version: 4.3.1
# Tested on: Firefox
# Contact me: [email protected]

# Vulnerable Code:
```
wpi.business_name="<?php echo ($wpi_settings["business_name']); ?>';
``

# POC
1. Install the WP-Invoice WordPress plugin and activate it.
2. Go to WP-Invoice settings and inside the Business Name field inject XSS
payload “><img src=x onerror=alert(1)>
3. XSS will trigger and will be stored.

## POC Image

https://imgur.com/rsHIEO9

Pos terkait

Tinggalkan Balasan

Alamat email Anda tidak akan dipublikasikan.