ManhNho

CVE-2018-10752

May 4th, 2018
2,211
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Exploit Title: WordPress Plugin Tagregator 0.6 - Stored XSS
  2. # Date: 05/05/2018
  3. # Exploit Author: ManhNho
  4. # Vendor Homepage: https://wordpress.org/plugins/tagregator/
  5. # Software Link: https://downloads.wordpress.org/plugin/tagregator.0.6.zip
  6. # Version: 0.6
  7. # Tested on: CentOS 6.5
  8. # CVE : CVE-2018-10752
  9. # Category : Webapps
  10.  
  11. 1. Description
  12. ===========
  13. WordPress Plugin Tagregator 0.6 - Stored XSS
  14.  
  15. 2. Proof of Concept
  16. ===========
  17.  
  18. #1. Login to admin panel
  19. #2. Access to Wordpress Tagregator setting, then choose Tweets/Instagram Media/Flickr Post/Google+ Activities and click "Add New" button
  20. #3. In title field, inject XSS pattern such as:
  21. <script>alert('ManhNho')</script> and click Preview button
  22. #4. This site will response url that will alert popup named ManhNho
  23. #5. Send this xss url to another administrators, we have same alert
RAW Paste Data