exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Advanced Page Visit Counter 1.0 Cross Site Scripting

Advanced Page Visit Counter 1.0 Cross Site Scripting
Posted Feb 9, 2024
Authored by Furkan Ozer

Advanced Page Visit Counter version 1.0 suffers from a persistent cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | f6d7790e5d925f394cef69bc78bd6c8b5f89cc8b9036ef13a7d4dd56535dc8e5

Advanced Page Visit Counter 1.0 Cross Site Scripting

Change Mirror Download
# Exploit Title: Advanced Page Visit Counter 1.0 - Admin+ Stored Cross-Site
Scripting (XSS) (Authenticated)
# Date: 11.10.2023
# Exploit Author: Furkan ÖZER
# Software Link: https://wordpress.org/plugins/advanced-page-visit-counter/
# Version: 8.0.5
# Tested on: Kali-Linux,Windows10,Windows 11
# CVE: N/A


# Description:
Advanced Page Visit Counter is a remarkable Google Analytics alternative
specifically designed for WordPress websites, and it has quickly become a
must-have plugin for website owners and administrators seeking powerful
tracking and analytical capabilities. With the recent addition of Enhanced
eCommerce Tracking for WooCommerce, this plugin has become even more
indispensable for online store owners.

Homepage | Support | Premium Version

If you’re in search of a GDPR-friendly website analytics plugin exclusively
designed for WordPress, look no further than Advanced Page Visit Counter.
This exceptional plugin offers a compelling alternative to Google Analytics
and is definitely worth a try for those seeking enhanced data privacy
compliance.

This is a free plugin and doesn’t require you to create an account on
another site. All features outlined below are included in the free plugin.

Description of the owner of the plugin Stored Cross-Site Scripting attack
against the administrators or the other authenticated users.

The plugin does not sanitise and escape some of its settings, which could
allow high privilege users such as admin to perform Stored Cross-Site
Scripting attacks even when the unfiltered_html capability is disallowed
(for example in multisite setup)

The details of the discovery are given below.

# Steps To Reproduce:
1. Install and activate the Advanced Page Visit Counter plugin.
2. Visit the "Settings" interface available in settings page of the plugin
that is named "Widget Settings"
3. In the plugin's "Today's Count Label" setting field, enter the payload
Payload: " "type=image src=1 onerror=alert(document.cookie)> "
6. Click the "Save Changes" button.
7. The XSS will be triggered on the settings page when every visit of an
authenticated user.


# Video Link
https://youtu.be/zcfciGZLriM

Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    37 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close