Exploit for Photos and Files Contest Gallery – Contact Form < 21.2.8.1 - Unauthenticated Stored XSS via HTTP Headers CVE-2023-5307

Name: Exploit for Photos and Files Contest Gallery – Contact Form < 21.2.8.1 - Unauthenticated Stored XSS via HTTP Headers CVE-2023-5307
Rating: 5 (2 reviews)

2023-10-09 | CVSS 5.8

## https://sploitus.com/exploit?id=WPEX-ID:6FAC1E09-21AB-430D-B56D-195E7238C08C
1. Use a proxy such as BurpSuite to add the following header to all requests:

X-Forwarded-For: 11.11.11.11<img src=x onerror=alert(1)>

2. Create a gallery and add its shortcode to a page.
3. As an unauthenticated user, upload an image to the gallery from the frontend.
4. As an administrator, click on "Contest Gallery" in the sidebar and click "Edit Gallery" on the gallery entry to trigger the XSS.