Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

WordPress Flow-Flow Social Stream <=3.0.71 - Cross-Site Scripting

By kannthu

Vidoc logoVidoc Module

What is "WordPress Flow-Flow Social Stream <=3.0.71 - Cross-Site Scripting?"

The "WordPress Flow-Flow Social Stream <=3.0.71 - Cross-Site Scripting" module is designed to detect a vulnerability in the Flow-Flow Social Stream WordPress plugin. This module specifically targets version 3.0.71 of the plugin. Cross-Site Scripting (XSS) is a type of security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. The severity of this vulnerability is classified as medium.


If successfully exploited, this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the affected website. This can lead to various malicious activities, such as stealing sensitive user information, manipulating website content, or redirecting users to malicious websites.

How the module works?

The module sends an HTTP GET request to the "/wp-admin/admin-ajax.php?action=fetch_posts&stream-id=1&hash=%3Cimg%20src=x%20onerror=alert(document.domain)%3E" endpoint of the target WordPress website. It then applies several matching conditions to determine if the vulnerability is present:

- The response body must contain the following words: ""hash":"<img src=x onerror=alert(document.domain)>"" and ""errors"". - The response header must contain the word "text/html". - The HTTP status code must be 200.

If all the matching conditions are met, the module reports the vulnerability.

Note: This module is part of the Vidoc platform, which uses multiple modules to perform scanning. Each module represents a specific test case to detect misconfigurations, vulnerabilities, or software fingerprints.

Module preview

Concurrent Requests (1)
1. HTTP Request template
Matching conditions
word: "hash":"<img src=x onerror=alert(documen...and
word: text/htmland
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability