Video Link PDF Link "Clickjacking for Shells" by Andrew Horton is an excellent demonstration of ClickJacking attack. In his demonstration, he leveraged the ClickJacking vulnerability to install vulnerable WordPress plugin. From it, he utilized Cross Site Scripting vulnerability in that plugin to upload a PHP shell script. Lessons Learnt 1. ClickJacking attack when utilized with other attack vectors is awesome. It just depends on the creativity how the attack will be carried out. 2. Web applications should never allow language specific shell scripts to be uploaded even for administrator users. This fact is largely underestimated by nowadays' open-source developers.