Escalating Wordpress 2.6 search XSS to Arbitrary File Upload

dork: "is proudly powered by WordPress"

XSS (Reflected) :

XSS (Persistent) :

Once a session is stolen two persistent XSS vectors become possible with either Editer or Admin account level access:

Arbitrary File Upload :

If we have admin and wp-content/uploads is chmod 777 to enable file uploads we can upload PHP files:

Write Post -> add media (from toolbar), upload our a.php file:

Arbitrary File Upload :

The file is uploaded to the following path where 2008 is year and 08 is month at the time of upload:

game over

Reference

OWASP: Cross Site Scripting

OWASP: Unrestricted File Upload