CVE-2013-5977

Cart66 Lite Plugin < 1.5.1.15 - Cross-Site Request Forgery

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-5977. PoCs published by absane.

AI-analyzed exploit summary This exploit demonstrates a CSRF and stored XSS vulnerability in WordPress Cart66 Plugin 1.5.1.14. The PoC includes HTML/JavaScript to auto-submit a malicious product form, exploiting lack of CSRF tokens and input sanitization.

Description

Cross-site request forgery (CSRF) vulnerability in Cart66Product.php in the Cart66 Lite plugin before 1.5.1.15 for WordPress allows remote attackers to hijack the authentication of administrators for requests that (1) create or modify products or conduct cross-site scripting (XSS) attacks via the (2) Product name or (3) Price description field in a product save action via a request to wp-admin/admin.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by absane · textwebappsphp

https://www.exploit-db.com/exploits/28959

View Code ZIP pw:eip

This exploit demonstrates a CSRF and stored XSS vulnerability in WordPress Cart66 Plugin 1.5.1.14. The PoC includes HTML/JavaScript to auto-submit a malicious product form, exploiting lack of CSRF tokens and input sanitization.

Classification

Working Poc 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: WordPress Cart66 Plugin 1.5.1.14

Auth required

Prerequisites: Authenticated WordPress admin session · Victim interaction (clicking a link)

MITRE ATT&CK