Videos
Published on June 28th, 2016 📆 | 7251 Views ⚑
0WordPress Stream plugin stored XSS / RCE
iSpeech
This is another WordPress plugin vulnerability found while looking for *.uber.com bugs. One of the websites used a plugin called Stream. We found an unauthenticated stored XSS in the plugin code. Uber requested for a video demo, this is it (excuse me for the lacking production values).
The plugin shows an event log. There's no HTML escaping when outputting the events from database. There are several ways for an attacker to create events that contain HTML. One is demonstrated here.
2016-06-28 21:01:35
source
Gloss