0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Wordpress Activity Log 2.4.0 Plugin - Stored Cross Site Scripting Vulnerability
Author
Risk
[
Security Risk Medium
]0day-ID
Category
Date add
CVE
Platform
# Exploit Title : Activity Log Wordpress Plugin Stored Cross Site Scripting (XSS) # Exploit Author : Stefan Broeder # Vendor Homepage: https://pojo.me # Software Link: https://wordpress.org/plugins/aryo-activity-log/ # Version: 2.4.0 # CVE : CVE-2018-8729 # Category : webapps Description =========== Activity Log is a WordPress plugin which tracks site activity. It has more than 70.000 active installations. Version 2.4.0 (and possibly the previous ones) are affected by several Stored XSS vulnerabilities. Vulnerable part of code ======================= Storing the payload: File: aryo-activity-log/hooks/class-aal-hook-attachment.php:14. The log entry that is stored contains the result of get_the_title($post->ID), which can include HTML and is not sanitized by WordPress. File: aryo-activity-log/hooks/class-aal-hook-comments.php:14. The log entry that is stored contains the result of get_the_title($comment->comment_post_ID), which can include HTML and is not sanitized by WordPress. File: aryo-activity-log/hooks/class-aal-hook-posts.php:7. The log entry that is stored contains the result of $title = get_the_title($post), which can include HTML and is not sanitized by WordPress. Displaying the payload: File: aryo-activity-log/classes/class-aal-activity-log-list-table.php:209. $item->object_name is displayed without sanitization and can contain HTML tags. Impact ====== Arbitrary JavaScript code can be run on browser side if a user is able to create a post or upload an attachment. Exploitation ============ To successfully exploit this vulnerability, an attacker would have to perform any of the following: - Create/edit/draft/publish/trash/untrash a post with JavaScript in the title - Create/edit/trash/untrash/mark_as_spam/unmark_as_spam a comment on a post with JavaScript in the title - Add/edit/delete an attachment with JavaScript in the attachment title Regular website visitors will not have the capability to do any of these, however, possible threat actors might include: - A user with the role of ‘editor’ within WordPress (non-admins which are able to create content) - A rogue administrator among multiple administrators - A compromised plugin If the payload has been injected, then it will be executed once the Activity Log is viewed. This can possibly lead to stealing of CSRF nonces and creation of new (administrator) users on the WordPress instance. Solution ======== Update to 2.4.1 # 0day.today [2024-12-25] #