0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
WordPress RSS for Yandex Turbo Plugin 1.29 - Stored Cross-Site Scripting (XSS) Vulnerability
# Exploit Title: WordPress Plugin RSS for Yandex Turbo 1.29 - Stored Cross-Site Scripting (XSS) # Exploit Author: Himamshu Dilip Kulkarni # Software Link: https://wordpress.org/plugins/rss-for-yandex-turbo/ # Version: 1.29 # Tested on: Windows #Steps to reproduce vulnerability: 1. Install WordPress 5.6 2. Install and activate "RSS for Yandex Turbo" plugin. 3. Navigate to Setting >> Яндекс.Турбо >> Счетчики and enter the data into all the six user input field and submit the request. 4. Capture the request into burp suite and append the following mentioned JavaScript payloads (one payload per parameter) "+onmouseover="alert(1) "+onmouseover="alert(2) "+onmouseover="alert(3) "+onmouseover="alert(4) "+onmouseover="alert(5) "+onmouseover="alert(6) 5. You will observe that the payloads got successfully stored into the database and when you move the mouse cursor over these fields the JavaScript payloads get executed successfully and we get a pop-up. # 0day.today [2024-07-08] #