Exploit/Advisories
Published on June 27th, 2022 📆 | 5044 Views ⚑
0WordPress W-DALIL 2.0 Cross Site Scripting – Torchsec
# Exploit Title: WordPress Plugin W-DALIL - Stored Cross Site Scripting
# Date: 27-06-2022
# Exploit Author: Mariam Tariq - HunterSherlock
# Vendor Homepage: https://wordpress.org/plugins/w-dalil/
# Version: 2.0
# Tested on: Firefox
# Contact me: mariamtariq404@gmail.com#Vulnerable Code:
```
placeholder="< ?php echo __('Dalil item address','w-dalil'); ?>"
value="< ?php echo $dalil_information['dalil-address']; ?>" />
```
#Steps To Reproduce :
1 - First Install the plugin "*w-dalil*" and activate it.
2 - Go to Dalil —> Add New Dalil item
3 - Inside the “*Dalil item address*” enter XSS payload “*>onerror=alert(1)>*" and hit enter.
#Poc Image :
https://imgur.com/JPG97oh
Gloss