[webapps] WordPress Plugin Supsystic Contact Form 1.7.18 - 'label' Stored Cross-Site Scripting (XSS)
2021-10-28 20:37:24 Author: www.exploit-db.com(查看原文) 阅读量:45 收藏

# Exploit Title: WordPress Plugin Supsystic Contact Form  1.7.18 - 'label' Stored Cross-Site Scripting (XSS)
# Date: 10/27/2021
# Exploit Author: Murat DEMIRCI (@butterflyhunt3r)
# Vendor Homepage: https://supsystic.com/
# Software Link: https://wordpress.org/plugins/contact-form-by-supsystic/
# Version: 1.7.18
# Tested on : Windows 10

#Poc:

1. Install Latest WordPress

2. Install and activate plugin.

3. Open plugin, click "Add New Form" and select any form. 

4. Click "Fields" tab and "Add New Field". Choose whatever you want.

5. Inject JavaScript payload which is mentioned below into 'label' field, save and alert will appear on the screen.

Payload : <img src=x onerror=alert(1)>
            

文章来源: https://www.exploit-db.com/exploits/50460
如有侵权请联系:admin#unsafe.sh