.. / CVE-2015-2807

Exploit for Navis DocumentCloud <0.1.1 - Cross-Site Scripting (CVE-2015-2807)

Description:

Navis DocumentCloud plugin before 0.1.1 for WordPress contains a reflected cross-site scripting vulnerability in js/window.php which allows remote attackers to inject arbitrary web script or HTML via the wpbase parameter.

Proof of Concept

PoC exploit

Nuclei Template

View the template here CVE-2015-2807.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2015/CVE-2015-2807.yaml
Copy

References:

https://nvd.nist.gov/vuln/detail/CVE-2015-2807
https://wordpress.org/plugins/navis-documentcloud/changelog/
https://advisories.dxw.com/advisories/publicly-exploitable-xss-in-wordpress-plugin-navis-documentcloud/
https://wpvulndb.com/vulnerabilities/8164
https://security.dxw.com/advisories/publicly-exploitable-xss-in-wordpress-plugin-navis-documentcloud/