CVE-2008-1304

WordPress 2.3.2 - Cross-Site Scripting via Invite Email and To Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2008-1304. PoCs published by Doz.

AI-analyzed exploit summary This exploit demonstrates a cross-site scripting (XSS) vulnerability in WordPress 2.3.2 by injecting an iframe via the 'inviteemail' parameter in the users.php admin page. The payload steals cookie-based authentication credentials by redirecting to a malicious URL.

Description

Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) inviteemail parameter in an invite action to wp-admin/users.php and the (2) to parameter in a sent action to wp-admin/invites.php.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Doz · textwebappsphp
https://www.exploit-db.com/exploits/31356

This exploit demonstrates a cross-site scripting (XSS) vulnerability in WordPress 2.3.2 by injecting an iframe via the 'inviteemail' parameter in the users.php admin page. The payload steals cookie-based authentication credentials by redirecting to a malicious URL.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: WordPress 2.3.2
Auth required
Prerequisites: Access to the WordPress admin panel · User interaction to trigger the payload
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Doz · textwebappsphp
https://www.exploit-db.com/exploits/31357

This exploit demonstrates a cross-site scripting (XSS) vulnerability in WordPress 2.3.2 by injecting a malicious script via the 'to' parameter in the invites.php page. The PoC uses a simple alert script to prove the vulnerability.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: WordPress 2.3.2
No auth needed
Prerequisites: Access to the target WordPress admin interface
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/489241/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/41055
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/41056
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/28139
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/3732
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1019564

Scores

EPSS 0.0500
EPSS Percentile 91.1%

Details

CWE
CWE-79
Status published
Products (1)
wordpress/wordpress 2.3.2
Published Mar 12, 2008
Tracked Since Feb 18, 2026