CVE-2022-1558: WordPress Curtain 1.0.2 Cross Site Scripting ≈ Packet Storm

# Exploit Title: Multiple Stored Cross-Site Scripting vulnerabilitiesin WordPress curtain plugin 1.0.2# Date: 29-03-2022# Exploit Author: Hassan Khan Yusufzai - Splint3r7# Vendor Homepage: https://wordpress.org/plugins/curtain/# Version: 1.0.2# Tested on: Firefox# Contact me: h [at] spidersilk.com# DescriptionSeveral Cross-Site Scripting vulnerabilities in the Curtain WordPressplugin. Due to these Cross-Site Scripting vulnerabilities, an attackerwould be able to steal cookies, hijack sessions,s or control the browser ofthe victim.*Reproduce XSS in Heading Section:*1- Login to your WordPress Application2- Install curtain plugin3- Open the pagehttp://wordpressURL/wp-admin/options-general.php?page=curtain4- Inject Payload in Heading"><h1 onclick=alert(1)>XSS</h1>5- An alert will trigger.*Reproduce XSS in Managers Textarea Section:*1- Login to your WordPress Application2- Install curtain plugin3- Open the pagehttp://wordpressURL/wp-admin/options-general.php?page=curtain4- Inject Payload in Managers as"></textarea><script>alert(1)</script>5- An alert will trigger.