Exploit Title: WordPress Comment Attachment 1.0 Cross Site Scripting
Date: 2013 20 September
Author: Arsan
author email: [email protected]
author twitter: @ArsanBlackhat
Software Link: http://wordpress.org/plugins/comment-attachment/
Version : 1.0
Tested on: Linux & Windows
Category: webapps
Google Dork : inurl:”/comment-attachment/comment-attachment.php”

Exploit :

[-] Description :
1) Download “Comment Attachment” And Install
2) Go To Sitting Comment Attachment :
Settings > Discussion > Comment Attachment
3) Insert In “Attachment field title” This Code And Save :

“><script>alert(/Arsan/)</script>

4) And Try To See Your Post And Comment; Follow Link :
http://localhost/wp/?p=1