Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reflected XSS (CVE-2021-24316) #2

Open
pikpikcu opened this issue Jun 6, 2021 · 0 comments
Open

Reflected XSS (CVE-2021-24316) #2

pikpikcu opened this issue Jun 6, 2021 · 0 comments

Comments

@pikpikcu
Copy link

pikpikcu commented Jun 6, 2021

Describe the bug
Hi Team,
We just found an Mediumish WordPress Theme <= 1.0.47 - Unauthenticated Reflected XSS & XFS in https://blog.gopaddle.io/

To Reproduce
Steps to reproduce the behavior:
1.Open Browser and Go To site: https://blog.gopaddle.io/?post_type=post&s=
2.Inject XSS to param (s), and using payloads: "><script>alert(document.domain)</script>
3.Click Run and then XSS will trigger.

POC
https://blog.gopaddle.io/?post_type=post&s=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E

Screenshots
poc

reference:

Impact
As you know, with a reflected XSS, a malicious user could trick a user into browsing to a URL which would trigger the XSS and steal the user's cookie, capture keyboard strokes, etc and eventually take over a user's account.

Regards
pikpikcu
gopaddle-io pushed a commit that referenced this issue Oct 29, 2021
@Adeesh-devanand
Merge pull request #2 from Adeesh-devanand/patch-3
7fa36c8 
Patch 3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pikpikcu