CVE-2016-15041 PoC — MainWP Dashboard – The Private WordPress Manager for Multiple Website Maintenance Plugin <= 3.1.2 - Stored Cross-Site Sc

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2016/CVE-2016-15041.yaml

Associated Vulnerability

Title:MainWP Dashboard – The Private WordPress Manager for Multiple Website Maintenance Plugin <= 3.1.2 - Stored Cross-Site Scripting (CVE-2016-15041)
Description:The MainWP Dashboard – The Private WordPress Manager for Multiple Website Maintenance plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mwp_setup_purchase_username’ parameter in versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Description

MainWP Dashboard – The Private WordPress Manager for Multiple Website Maintenance plugin for WordPress versions up to 3.1.2 contains a stored cross-site scripting caused by insufficient input sanitization and output escaping in 'mwp_setup_purchase_username' parameter, letting unauthenticated attackers inject and execute arbitrary scripts when users access affected pages.

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →