# Exploit Title: WordPress Plugin W-DALIL - Stored Cross Site Scripting # Date: 27-06-2022 # Exploit Author: Mariam Tariq - HunterSherlock # Vendor Homepage: https://wordpress.org/plugins/w-dalil/ # Version: 2.0 # Tested on: Firefox # Contact me: mariamtariq404@gmail.com #Vulnerable Code: ``` <input class="dalil_input" name="dalil-address" type="text" placeholder="<?php echo __('Dalil item address','w-dalil'); ?>" value="<?php echo $dalil_information['dalil-address']; ?>" /> ``` #Steps To Reproduce : 1 - First Install the plugin "*w-dalil*" and activate it. 2 - Go to Dalil —> Add New Dalil item 3 - Inside the “*Dalil item address*†enter XSS payload “*><img src=x onerror=alert(1)>*" and hit enter. #Poc Image : https://imgur.com/JPG97oh