CVE-2018-13256 : PHP Scripts Mall Auditor Website 2.0.1 has XSS via the lastname or firstname parameter.

CVE-2018-13256 – Vikas Chaudhary

# Exploit Title: Chartered Accountant : Auditor Website 2.0.1 – Reflected , Stored XSS
# Date: 26.06.2018
# Site Titel : Find your needs on Domain Name
# Vendor Homepage:
# Software Link:
# Category: Web Application
# Version: 2.0.1
# Exploit Author: Vikas Chaudhary
# Contact:
# Web:
# Tested on: Windows 10 -Firefox
# CVE: CVE-2018-13256

Proof of Concept:-
1. Go to the site ( ) .
2- Select REGISTER page (Register now) .
3- Create an account using your Email address => in FIRST NAME , LAST NAME ,and PASSWORD put this script =>  <img src =x onError=alert(“VIKAS”)>
4- Now Check your Email and verify it .
5- Again come to site and login it using your verified Email and Password .
6- You will having popup VIKAS in you account when you loged in .


Myself Vikash Chaudhary, I was interested in general knowledge since childhood, so I thought why not share my knowledge with you, that's why I created this educational blog. I am a Youtuber, Author, Blogger, Trader, Freelancer, and Security Analyst. I have experience of 7 years in Blogging and Trading. I have written 3 books which you can find on this website.Keep Loving and Supporting... Thank you.