Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

WordPress PHPFreeChat 0.2.8 - Cross-Site Scripting

By kannthu

High
Vidoc logoVidoc Module
#xss#wp-plugin#edb#wordpress
Description

What is "WordPress PHPFreeChat 0.2.8 - Cross-Site Scripting?"

The "WordPress PHPFreeChat 0.2.8 - Cross-Site Scripting" module is designed to detect a cross-site scripting vulnerability in the WordPress PHPFreeChat 0.2.8 plugin. This vulnerability allows an attacker to execute arbitrary scripts in the browser of an unsuspecting user. The severity of this vulnerability is classified as high, with a CVSS score of 7.2.

This module was authored by daffainfo.

Impact

If exploited, this vulnerability can lead to unauthorized script execution in the browser of a user who interacts with the affected WordPress PHPFreeChat 0.2.8 plugin. This can potentially result in the theft of sensitive information, session hijacking, or other malicious activities.

How the module works?

The module sends an HTTP GET request to the following path:

/wp-content/plugins/phpfreechat/lib/csstidy-1.2/css_optimiser.php?url=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E

The module then applies several matching conditions to determine if the vulnerability is present:

- The response body must contain the string </script><script>alert(document.domain)</script> - The response header must contain the string text/html - The HTTP status code must be 200

If all of these conditions are met, the module reports the vulnerability.

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/wp-content/plugins/...
Matching conditions
word: </script><script>alert(document.domain)<...and
word: text/htmland
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability