WordPress Motopress Hotel Booking Lite 4.4.2 Cross Site Scripting

Motopress Hotel Booking Lite plugin version 4.4.2 suffers from a persistent cross site scripting vulnerability.


SHA-256 | 3ed48165602f4bd9548ae2c2a60d166d4e4c761edf4ac75c034e6792d95ba5bb

# Exploit Title: WordPress Plugin Motopress Hotel Booking Lite 4.4.2 - Stored Cross-Site Scripting (XSS)
# Date: 2022-09-28
# Exploit Author: Ali Alipour
# Vendor Homepage: https://motopress.com/
# Software Link: https://wordpress.org/plugins/motopress-hotel-booking-lite/
# Version: 4.4.2
# Tested on: Windows 10 Pro x64 - XAMPP Server
# CVE : N/A


PoC:

1: Install Latest WordPress

2: Install and activate Latest Motopress Hotel Booking Lite (4.4.2).

3: Navigate to Accommodation >> Services.

4: Click on "Add New" button And Enter the JavaScript Payload in the Title Field : ( "><script>alert("XSS")</script> )

5:Click on the publish button.

6. Visit http://localhost/wp/services/

7. XSS payload execute.

Related Posts