- Install the plugin (and WooCommerce, which it depends on to do anything useful)
- Navigate to WooCommerce -> PPOM Fields
- Click on the "Add new group" green button
- Fill the "Meta group name", "Control price display on product page" and "Apply for Categories" with gibberish.
- Add a field by clicking the "Add field" blue button
- Select "Text Input"
- Insert <script>alert(1);</script> in the "Title" text field, and save.
- You should get an alert box, BUT, we're not done yet. To make the popup appear to other administrators, click on the "Save Fields" button on the bottom right.
- Any (super-)administrators visiting http://vulnerable.site/wp-admin/admin.php?page=ppom&productmeta_id=$ID_OF_THE_CREATED_PPOM_GROUP&do_meta=edit will see the alert box. This can be done by a legitimate administrator by clicking on the malicious group's name in http://wpscan-vulnerability-test-bench.ddev.site/wp-admin/admin.php?page=ppom