# Exploit Title: WordPress Plugin OneSignal 1.17.5 - Persistent Cross-Site Scripting # Date: 2019-07-18 # Vendor Homepage: https://www.onesignal.com # Software Link: https://wordpress.org/plugins/onesignal-free-web-push-notifications/ # Affected version: 1.17.5 # Exploit Author: LiquidWorm # Tested on: Linux Summary: OneSignal is a high volume and reliable push notification service for websites and mobile applications. We support all major native and mobile platforms by providing dedicated SDKs for each platform, a RESTful server API, and an online dashboard for marketers to design and send push notifications. Desc: The application suffers from an authenticated stored XSS via POST request. The issue is triggered when input passed via the POST parameter 'subdomain' is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: WordPress 5.2.2 Apache/2.4.39 PHP/7.1.30 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2019-5530 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5530.php
" />