WordPress Coru LFMember 1.0.2 Cross Site Scripting – Torchsec
# Exploit Title: WordPress Plugin Coru LFMember - Stored Cross Site
Scripting
# Date: 26-04-2022
# Exploit Author: Mariam Tariq - HunterSherlock
# Vendor Homepage: https://wordpress.org/plugins/Coru LFMember/
# Version: 1.0.2
# Tested on: Firefox
# Contact me: mariamtariq404@gmail.com< ?php print
stripslashes($result['game_name_short']) ?>
cols="10">< ?php print stripslashes($result['game_description'])
?>
Scripting
# Date: 26-04-2022
# Exploit Author: Mariam Tariq - HunterSherlock
# Vendor Homepage: https://wordpress.org/plugins/Coru LFMember/
# Version: 1.0.2
# Tested on: Firefox
# Contact me: mariamtariq404@gmail.com
# Vulnerable Code:
```
stripslashes($result['game_name_short']) ?>
?>
```
# POC
1. Install the Coru LFMember WordPress plugin and activate it.
2. Go to LFMember -> Add New and inject XSS payload “>onerror=alert(1)> in the fields given i.e, Game Image Name, Game Short
Name, Game Long Name, Game Description, and Links to.
3. XSS will trigger and will be stored.
## POC Image
https://imgur.com/kZDtIVz
Gloss