cbcvebase.
CVE-2016-15041
published 2024-10-16

CVE-2016-15041: The MainWP Dashboard – The Private WordPress Manager for Multiple Website Maintenance plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the…

PriorityP180medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.23%
65.1th percentile
The MainWP Dashboard – The Private WordPress Manager for Multiple Website Maintenance plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mwp_setup_purchase_username’ parameter in versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affected

2 ranges
VendorProductVersion rangeFixed in
mainwpmainwp_dashboard<= 3.1.2
mainwpmainwp_dashboard_self-hosted_wordpress_management_for_agencies< 3.1.33.1.3

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-post.php?page=mainwp-setup&step=purchase_extension
url/wp-admin/admin-post.php?page=mainwp-setup&step=purchase_extension&_wpnonce={{nonce}}
path/wp-content/plugins/mainwp/
path/wp-content/plugins/mainwp-vuln/readme.txt
commandmwp_setup_purchase_username={{randstr}}"+onmouseover%3Dalert(document.domain)+x%3D"&mwp_setup_purchase_passwd=test&save_step=1
  • Detect exploitation attempt by matching the XSS payload in the POST body targeting the vulnerable parameter
  • Detect stored XSS payload in HTTP response body — look for the string ' onmouseover=alert(document.domain) x' in pages served from the MainWP setup wizard
  • Flag unauthenticated POST requests to /wp-admin/admin-post.php with query parameters page=mainwp-setup&step=purchase_extension as potential exploitation of CVE-2016-15041
  • Version fingerprinting: check /wp-content/plugins/mainwp-vuln/readme.txt for 'Stable tag:' value <= 3.1.2 to confirm vulnerable plugin version
  • Confirm MainWP setup wizard page presence by matching keywords 'MainWP', 'Setup Wizard', and 'mwp_setup_purchase_username' in the response body
  • Extract WordPress nonce from the setup page response using regex '_wpnonce" value="([a-zA-Z0-9]+)"' for use in the exploit POST request
  • ·The vulnerability is exploitable by unauthenticated attackers — no authentication is required to POST the malicious payload to the setup wizard endpoint
  • ·The attack requires two HTTP steps: first a GET to retrieve the nonce, then a POST with the XSS payload; detection logic must account for this multi-step flow
  • ·Affected versions are up to and including 3.1.2; version check against readme.txt Stable tag is required to avoid false positives on patched installs

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.