Description: Multiple Cross-Site Scripting (XSS) vulnerabilities in installation of PluckCMS v.4.7.18 allows a local attacker to execute arbitrary code via a crafted payload injected into the cont1 and cont2 parameters in the installation process- Website Name.
Attack Vectors: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
During the installation process we enter the XSS payload in any of the 2 parameters and when we click on next, we will obtain the XSS pop-up
<img src=x:alert(alt) onerror=eval(src) alt='XSS Page'>In the following image you can see the embedded code that executes the payload in the instalaltion process.
And below is evidence of the execution of the payload when accessing the main website:
