header-logo
Suggest Exploit
vendor:
Admin Bar & Dashboard Access Control
by:
Rachit Arora
3.1
CVSS
MEDIUM
Stored Cross-Site Scripting (XSS)
79
CWE
Product Name: Admin Bar & Dashboard Access Control
Affected Version From: 1.2.2008
Affected Version To: 1.2.2008
Patch Exists: NO
Related CWE: CVE-2023-47184
CPE: a:wordpress:admin_bar_&_dashboard_access_control:1.2.8
Metasploit:
Other Scripts:
Platforms Tested: Windows
2023

WordPress Plugin Admin Bar & Dashboard Access Control 1.2.8 Stored Cross-Site Scripting (XSS)

The WordPress Plugin Admin Bar & Dashboard Access Control version 1.2.8 is vulnerable to stored cross-site scripting (XSS) due to improper input validation in the 'Dashboard Redirect' field. An attacker can store malicious scripts in this field, leading to the execution of arbitrary JavaScript code when triggered.

Mitigation:

Ensure proper input validation and sanitization of user-controlled input fields to prevent XSS attacks. Regularly update the plugin to the latest version to patch security vulnerabilities.
Source

Exploit-DB raw data:

# Exploit Title:  WordPress Plugin Admin Bar & Dashboard Access Control Version: 1.2.8 - "Dashboard Redirect" field  Stored Cross-Site Scripting (XSS)
# Google Dork: NA
# Date: 28/10/2023
# Exploit Author: Rachit Arora
# Vendor Homepage: 
# Software Link:  https://wordpress.org/plugins/admin-bar-dashboard-control/
# Version: 1.2.8
# Category: Web Application
# Tested on: Windows
# CVE : 2023-47184


1. Install WordPress (latest)

2. Install and activate Admin Bar & Dashboard Access Control.

3. Navigate to "Admin Bar & Dash"  >> Under Dashboard Access and in the "Dashboard Redirect" enter the payload into the input field.

"onfocusin=alert``+autofocus>
"onfocusin=alert`document.domain`+autofocus>

4. You will observe that the payload successfully got stored  and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.