My Pentest Log -15- (HTML Injection in Wordpress)

Greetings Everyone from Thrakion,

Today, I would like to inform you about the “HTML Injection” vulnerability that I discovered on the Wordpress-based application.

1. I was informed by our project manager that I will conduct tests on “private.com”.

2. As always, I first reviewed the scope form and then began the necessary security testing steps.

3. I have detected various vulnerabilities, but the most motivating one of them is the html injection vulnerability that I was on in the “/hello-world/” directory, which is generally used by wordpress developers for testing purposes but was forgotten to be removed later.

So what is this “/hello-world” directory?

It is a directory created automatically during Wordpress installation, and there is usually a form field where you can add comments for testing purposes. However, the problem here is that vulnerabilities such as html injection are possible due to the lack of sufficient input control rules on the relevant form.

4. After a small directory discovery on the private.com application, I was able to discover the “https://private.com/hello-world" address.