CVE-2018-14869 :PHP Template Store Script- 3.0.6 ā€“ Stored XSS Vulnerability

I found that specified PHP Template Store Script- 3.0.6 – Stored XSS Vulnerability via Address ,Bank Name,and A/c Holder Name. To exploit this vulnerability, the following steps were taken.

1. Go to the site ( ) .

2- Click on => Login => Register => and then fill the Form and click on Register Now

3-Goto your mail and Verify it.

4-Now come back to site and Sign in using your Verified mail and Password.

5-Goto Setting => Personal information and paste these code in

Address line 1 => “*><*img src=x onerror=prompt(/SARAFRAZ/)>
Address Line 2 => “*><*img src=x onerror=prompt(/KHAN/)>
Bank name => “*><*img src=x onerror=prompt(/KING/)>
A/C Holder name => “*><*img src=x onerror=prompt(/GOOGLEQUEENS/)>

and then click on Update Profile.

Note=> Remove * From the Code

6-Now You will having popup of /SARAFRAZ/ , /KHAN/ , / KING/ and /GOOGLEQUEENS/ in you account..

Leave a Comment