Escalating Wordpress 2.6 search XSS to Arbitrary File Upload
dork: "is proudly powered by WordPress"
XSS (Reflected) :
XSS (Persistent) :
Once a session is stolen two persistent XSS vectors become possible with either Editer or Admin account level access:
Arbitrary File Upload :
If we have admin and wp-content/uploads is chmod 777 to enable file uploads we can upload PHP files:
Write Post -> add media (from toolbar), upload our a.php file:
Arbitrary File Upload :
The file is uploaded to the following path where 2008 is year and 08 is month at the time of upload:
game over