Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Well ,sir ,I just found a Stored-XSS bug here.
When I login into the wordpress panel, assume I have a low privilege role like a contributor user.
Because the admin user has turned on the option of the wp-plugin simple-download-monitor, a normal user like me can also use it.
Now I can write something in the function "Edit Download":
http://localhost/wordpress/wp-admin/post.php?post=x&action=edit
But when I fuzz the parameters in this plugin, I found when I write something into these points, it does not filter well:
1. File Thumbnail (Optional) 2. Downloadable File (Visitors will download this item)
While it tell us to enter a valid URL of the file in the text box below, I can write something with evil content like:
http://www.test.com/1.php'"><svg/onload=alert(document.cookie)><'"
Then we can publish the post or just submit it to the admin user for an audit.
It won't be long beofore I get the other user, even the admin user's cookie or do something more evilly.
Well, by the way, I just test the bug in the wordpress 4.9.1 and the latest version of the wp-plugin simple-download-monitor.
The text was updated successfully, but these errors were encountered:
We have released a new version that has the fix for it.
Sorry, something went wrong.
No branches or pull requests
Well ,sir ,I just found a Stored-XSS bug here.
When I login into the wordpress panel, assume I have a low privilege role like a contributor user.
Because the admin user has turned on the option of the wp-plugin simple-download-monitor, a normal user like me can also use it.
Now I can write something in the function "Edit Download":
But when I fuzz the parameters in this plugin, I found when I write something into these points, it does not filter well:
While it tell us to enter a valid URL of the file in the text box below, I can write something with evil content like:
Then we can publish the post or just submit it to the admin user for an audit.
It won't be long beofore I get the other user, even the admin user's cookie or do something more evilly.
Well, by the way, I just test the bug in the wordpress 4.9.1 and the latest version of the wp-plugin simple-download-monitor.
The text was updated successfully, but these errors were encountered: