| tiêu đề | EmbedPress Stored XSS |
|---|
| Mô tả | xss vulnerability in latest EmbedPress wordpress plugin and post edit
we can insert xss payload like javascript:alert and submit to post
[embedpress_pdf]javascript:alert(document.location.href)[/embedpress_pdf]
1. install EmbedPress wordpress plugin
2. create new shortcode or exist shortcode
3. goto posts and create or edit exist post
4. insert payload like that
[embedpress_pdf]javascript:alert(document.location.href)[/embedpress_pdf]
5. submit and goto posts view
POC:
https://drive.google.com/file/d/1wZXBTvdHO5egFo06gxCF06hWX7tbb5Ud/view?usp=sharing
https://drive.google.com/file/d/1ikhbybTAEFVbZ3OdWNvUocl8nRhff-Kc/view?usp=sharing |
|---|
| Người dùng | rezaduty (UID 10530) |
|---|
| Đệ trình | 31/10/2022 08:28 (cách đây 4 những năm) |
|---|
| Kiểm duyệt | 31/10/2022 15:08 (7 hours later) |
|---|
| Trạng thái | Bản sao |
|---|
| Mục VulDB | 212503 [EmbedPress Plugin trên WordPress Shortcode post.php Tập lệnh chéo trang] |
|---|
| Giải thích | not possible without admin permissions |
|---|
| điểm | 0 |
|---|