exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Dexs PM System Cross Site Scripting

WordPress Dexs PM System Cross Site Scripting
Posted Oct 16, 2013
Authored by TheXero

WordPress Dexs PM System plugin suffers from a persistent cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 46585f05ce1c8abf03275497ab4ed1b5a5b1fe6f2f5d454627d66da4e26a2725

WordPress Dexs PM System Cross Site Scripting

Change Mirror Download
===============================================================================
| |
____ _ __
___ __ __/ / /__ ___ ______ ______(_) /___ __
/ _ \/ // / / (_-</ -_) __/ // / __/ / __/ // /
/_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, /
/___/ team

PUBLIC SECURITY ADVISORY
| |
===============================================================================


TITLE
=====

Dexs PM System - Authenticated Persistent Cross Site Scripting Vulnerability


AUTHOR
======

TheXero


DATE
====

10/14/2013

VENDOR
======

Sam Brishes - http://www.pytes.net/


AFFECTED PRODUCT
================

Dexs PM System Wordpress Plugin Version 1.0.1 possibly earlier


VULNERABILITY CLASS
===================

Cross-Site Scripting


DESCRIPTION
===========


Dexs PM System suffers from a persistent Cross-Site Scripting vulnerability
when sending a message as an authenticated user. An account of at least
subscriber status is requested to exploit this vulnerability.
This vulnerability exists due to a lack of input validation and output
sanitization of the subject paramater.


PROOF OF CONCEPT
================

Enter the following into the subject field when sending a message to another
user.

--- SNIP ---

XSS<script>alert('xss');</script>

--- SNIP ---

If the message has been sent successfully a alert diolog will apear containing
xss when an user checks there message in the dashboard.


IMPACT
======

An attacker could potentially hijack session authentication tokes of remote
users and leverage the vulnerability to increase the attack vector to the
underlying software and operating system of the victim.


THREAT LEVEL
============

High


STATUS
======

0day


DISCLAIMER
==========

nullsecurity.net hereby emphasize, that the information which is published here
are for education purposes only. nullsecurity.net does not take any
responsibility for any abuse or misusage!

Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close