The WordPress Video Whisper Live Streaming plugin suffers from a cross site scripting vulnerability.
9c12f6bfff77b894e0a6d28038abd9788a6c0164f211f3d2010e8846d6b20b2d
#################################
# Iranian Exploit DataBase Forum
# http://iedb.ir/acc
# http://iedb.ir
#################################
# Exploit Title : Wordpress videowhisper-live-streaming-integration Plugin Xss vulnerabilities
# Author : Iranian Exploit DataBase
# Discovered By : IeDb
# Email : IeDb.Team@Gmail.com
# Home : http://iedb.ir - http://iedb.ir/acc
# Software Link : http://wordpress.org/plugins/videowhisper-live-streaming-integration/
# Security Risk : High
# Tested on : Linux
# Dork : inurl:/videowhisper-live-streaming-integration/ls/htmlchat.php
#################################
# C0de :
<?php
$room = $_GET['n'];
if (!$room) $room = $_POST['n'];
//do not allow access to other folders
if ( strstr($room,"/") || strstr($room,"..") )
{
echo "Access denied.";
exit;
}
$name = $_POST['name'];
$message = $_POST['message'];
$day=date("y-M-j",time());
$chatfile = "uploads/$room/Log$day.html";
?>
# Exploit :
Please open the site vulnerable.
Put the script in the Field Name or Message
# Dem0 :
http://fmi.gov.ng/wp-content/plugins/videowhisper-live-streaming-integration/ls/htmlchat.php
http://www.tambasurfcompany.com/wp-content/plugins/videowhisper-live-streaming-integration/ls/htmlchat.php
http://www.galactic.to/NETI/wp-content/plugins/videowhisper-live-streaming-integration/ls/htmlchat.php
http://www.piggybankblog.com/wp-content/plugins/videowhisper-live-streaming-integration/ls/htmlchat.php
http://pecelifijianmethodist.org/wp-content/plugins/videowhisper-live-streaming-integration/ls/htmlchat.php
#################################
# Exploit Archive = http://www.iedb.ir/exploits-402.html
#################################