Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

WordPress SocialFit - Cross-Site Scripting

By kannthu

Vidoc logoVidoc Module

What is "WordPress SocialFit - Cross-Site Scripting?"

The "WordPress SocialFit - Cross-Site Scripting" module is designed to detect a vulnerability in the WordPress SocialFit plugin. This vulnerability allows for cross-site scripting (XSS) attacks, which can potentially lead to unauthorized access and data theft. The severity of this vulnerability is classified as high.


If exploited, this vulnerability can allow attackers to inject malicious scripts into web pages viewed by users of the affected WordPress site. This can lead to various consequences, including the theft of sensitive information, session hijacking, defacement of the website, and the spread of malware to site visitors.

How the module works?

The module sends a GET request to the "/wp-content/plugins/socialfit/popup.php" endpoint of the WordPress site, with a specific query parameter that triggers the vulnerability. The request is checked against several matching conditions to determine if the vulnerability is present:

- The response body is checked for the presence of the specific payload that triggers the XSS attack: </script><script>alert(document.domain)</script> - The response header is checked to ensure that the content type is "text/html" - The response status code is checked to ensure it is 200 (OK)

If all of these conditions are met, the module reports the vulnerability, indicating that the WordPress SocialFit plugin is susceptible to cross-site scripting attacks.

Module preview

Concurrent Requests (1)
1. HTTP Request template
Matching conditions
word: </script><script>alert(document.domain)<...and
word: text/htmland
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability