[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Persistent XSS vulnerability in WP-UserOnline
- To: <submissions@xxxxxxxxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>, "1337 Exploit DataBase" <mr.inj3ct0r@xxxxxxxxx>
- Subject: [Full-disclosure] Persistent XSS vulnerability in WP-UserOnline
- From: "MustLive" <mustlive@xxxxxxxxxxxxxxxxxx>
- Date: Mon, 24 Dec 2012 23:38:39 +0200
Hello list!
in 2010 I've disclosed multiple vulnerabilities (Cross-Site Scripting and
Full path disclosure) in WordPress plugin WP-UserOnline
(http://securityvulns.ru/Ydocument162.html,
http://seclists.org/fulldisclosure/2010/Jul/8). And recently I've disclosed
the exploit for persistent XSS vulnerability in WP-UserOnline. It must be
interesting for those who want to test this vulnerability.
Exploit:
http://websecurity.com.ua/uploads/2012/WP-UserOnline.txt
This perl exploit I've developed at 26.04.2010.
As I've wrote earlier, vulnerable are WP-UserOnline 2.62 and previous
versions. After my informing the developer released WP-UserOnline 2.70 (at
07.05.2010). In version 2.70 he fixed XSS, but not Full path disclosure
vulnerabilities.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/