Share
## https://sploitus.com/exploit?id=WPEX-ID:8D8E5852-3787-47F9-9931-8308BB81BEB1
Login Notice Text: (before version 2.5.9.9)

1. Go to Namaste Settings
2. Enable modules with the "Enable modules between courses and lessons" setting.
3. In the section for 'Default "You need to be logged in" texts', update the text for any of them to include `<img src=x onerror="alert(/XSS/)">`.
2. Visit the Course, Lesson, and Module pages without being logged in to confirm the XSS.

Other Payment Options:

1. Go to Namaste Settings.
2. Enable the option "Accept other payment methods".
3. In the text box below, update the text to include `<script>alert(/XSS/)</script>`
4. Create a course, and set the "Students need to pay a fee" setting to a positive value.
5. On a post, add the enrolment button for the course: `[namaste-enroll course_id=ID_GOES_HERE]`
6. Log in as a subscriber and click the enrol button on the post to confirm the XSS.