Share
## https://sploitus.com/exploit?id=WPEX-ID:E23BF712-D891-4DF7-99CC-9EF64F19F685
Log on as an admin, create or edit a Form Field (wp-admin/admin.php?page=wpbdp_admin_formfields) and set the Field Label input with a payload such as <script>alert(/XSS/)</script>

XSS payloads execute:
- On the business directory page when adding a listing: /business-directory/?wpbdp_view=submit_listing
- On the Import/Export page: /wp-admin/admin.php?page=wpbdp_admin_csv
- When adding/editing a listing /wp-admin/post-new.php?post_type=wpbdp_listing
- On various Settings page, such as /wp-admin/admin.php?page=wpbdp_settings&tab=listings&subtab=listings%2Fsorting, /wp-admin/admin.php?page=wpbdp_settings&tab=listings&subtab=search_settings