Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Well ,sir ,I just found some Stored-XSS bugs at wp-plugin dark-mode.

ADLab of Venustech

Stored-XSS

When I visit the user profile page as a normal user contributor, I'll see the dark-mode function here:

http://127.0.0.1/wordpress/wp-admin/profile.php

But when I pentest the parameter in this plugin, I found when I write something into this point, it does not filter well.

Weak data parameter:

1.dark_mode_start='"><svg/onload=console.log(/xss1/)><'"
2.dark_mode_end='"><svg/onload=console.log(/xss2/)><'"

image

When the managers login into the panel, if they edit the profile page of contributor, I can get their cookie easily, or do something more evilly.

image

Well, by the way, I just test the bug in the wordpress 4.9.1 and the latest version of the wp-plugin dark-mode.