# Exploit Title: WordPress Plugin Videos sync PDF 1.7.4 - Stored Cross Site Scripting (XSS)  
# Google Dork: inurl:/wp-content/plugins/video-synchro-pdf/  
# Date: 2022-04-13  
# Exploit Author: UnD3sc0n0c1d0  
# Vendor Homepage:  
# Software Link:  
# Category: Web Application  
# Version: 1.7.4  
# Tested on: CentOS / WordPress 5.9.3  
# CVE : N/A  
# 1. Technical Description:  
The plugin does not properly sanitize the nom, pdf, mp4, webm and ogg parameters, allowing   
potentially dangerous characters to be inserted. This includes the reported payload, which   
triggers a persistent Cross-Site Scripting (XSS).  
# 2. Proof of Concept (PoC):  
a. Install and activate version 1.7.4 of the plugin.  
b. Go to the plugin options panel (http://[TARGET]/wp-admin/admin.php?page=aje_videosyncropdf_videos).  
c. Open the "Video example" or create a new one (whichever you prefer).  
d. Change or add in some of the displayed fields (Name, PDF file, MP4 video, WebM video or OGG video)   
the following payload:  
" autofocus onfocus=alert(/XSS/)>.  
e. Save the changes. "Edit" button.  
f. JavaScript will be executed and a popup with the text "XSS" will be displayed.  
Note: This change will be permanent until you modify the edited field.