WordPress W-DALIL plugin version 2.0 suffers from a persistent cross site scripting vulnerability.
3d149a791c07c7cfc468c60b80fc0a429d771a83d5713a156f35ef0f03df6cc5# Exploit Title: WordPress Plugin W-DALIL - Stored Cross Site Scripting
# Date: 27-06-2022
# Exploit Author: Mariam Tariq - HunterSherlock
# Vendor Homepage: https://wordpress.org/plugins/w-dalil/
# Version: 2.0
# Tested on: Firefox
# Contact me: [email protected]
#Vulnerable Code:
```
<input class="dalil_input" name="dalil-address" type="text"
placeholder="<?php echo __('Dalil item address','w-dalil'); ?>"
value="<?php echo $dalil_information['dalil-address']; ?>" />
```
#Steps To Reproduce :
1 - First Install the plugin "*w-dalil*" and activate it.
2 - Go to Dalil —> Add New Dalil item
3 - Inside the “*Dalil item address*” enter XSS payload “*><img src=x
onerror=alert(1)>*" and hit enter.
#Poc Image :
https://imgur.com/JPG97oh