WordPress White-Label Framework...

- AV AC AU C I A
发布: 2025-04-13
修订: 2025-04-13

安装好whitelable主题之后漏洞文件位置是: `/whitelable-framework/inc/snippets/form-sharebymail_iframe.php` Line 48 ~ 50: ``` $recipient = $_POST['recipemail']; if (stripos($recipient, ',')) $recipient = substr($recipient, 0, stripos($recipient, ',')); ``` 可以看到这里POST方式接收到的recipemail只是去掉了逗号之后的内容然后就直接存入变量$recipient Line 86: ``` <div id="confirmation">Your Message has been successfuly sent to <?php echo $recipient ?> </div> ``` 直接将未转义的$recipient输出造成了xss 复现之后发现这个漏洞只是一个很鸡肋的self-xss...不过既然提上来了还是分析一下

0%

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息