Advertisement
CVE | Category | Price | Severity |
---|---|---|---|
N/A | CWE-79 | N/A | High |
Author | Risk | Exploitation Type | Date |
---|---|---|---|
Unknown | High | Remote | 2019-06-28 |
CVSS | EPSS | EPSSP |
---|---|---|
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L | 0.02192 | 0.50148 |
/*! * ::- Title: Live Chat Unlimited v2.8.3 Stored XSS Injection * ::- Author: m0ze * ::- Date: 2019/06/25 * ::- Software: Live Chat Unlimited v2.8.3 */ ::- Details & Description -:: ~ Weak security measures like bad input field data filtering has been discovered in the Live Chat Unlimited. Current version of this premium WordPress plugin is 2.8.3. ::- Demo Website -:: ~ https://codecanyon.net/item/wordpress-live-chat-plugin/3952877 ~ Frontend: https://screets.com/ ::- Special Note -:: ~ 7.602 Sales, $75 ::- Google Dork -:: ~ inurl:"wp-content/plugins/screets-lcx" ::- PoC Links -:: ~ - ::- PoC [Stored XSS Injection] -:: ~ Go to the demo website https://screets.com/try/lcx/night-bird/ and open chat window by clicking on Open/close link, then click on Online mode to go online. Use your payload inside input field and press [Enter]. Provided exaple payloads working on the admin area, so it's possible to steal admin cookies or force a redirect to any other website. ~ Example #1: <!--<img src="--><img src=x onerror=(alert)(`m0ze`)//">m0ze ~ Example #2: <!--<img src="--><img src=x onerror=(alert)(document.cookie)//">m0ze
Copyright ©2024 Exploitalert.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.