CVE-2006-6808

WordPress 2.0.5 - Cross-Site Scripting via File Parameter in wp-admin/templates.php

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-6808. PoCs published by David Kierznowski.

AI-analyzed exploit summary This exploit demonstrates an HTML injection vulnerability in WordPress versions prior to 2.0.6. It leverages improper input sanitization in the 'file' parameter of 'templates.php' to execute arbitrary JavaScript, potentially leading to cookie theft or site manipulation.

Description

Cross-site scripting (XSS) vulnerability in wp-admin/templates.php in WordPress 2.0.5 allows remote attackers to inject arbitrary web script or HTML via the file parameter. NOTE: some sources have reported this as a vulnerability in the get_file_description function in wp-admin/admin-functions.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by David Kierznowski · textwebappsphp

https://www.exploit-db.com/exploits/29356

View Code ZIP pw:eip

This exploit demonstrates an HTML injection vulnerability in WordPress versions prior to 2.0.6. It leverages improper input sanitization in the 'file' parameter of 'templates.php' to execute arbitrary JavaScript, potentially leading to cookie theft or site manipulation.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: WordPress < 2.0.6

No auth needed

Prerequisites: Access to a vulnerable WordPress instance · Ability to craft a malicious URL

MITRE ATT&CK