How to craft an XSS payload to create an admin user in Wordpress

What I'll go through in this post is exactly how to capitalize on a particular (old) Wordpress plugin vulnerability to deliver a persistent XSS injection (not logged into Wordpress) that will later be executed by someone logged into Wordpress with higher privileges, such as an administrator.

WordpreXSS Exploitation » Rainbow and Unicorn

WordPress XSS to RCE Vulnerability

Luke (hakluke) Stephens on LinkedIn: Some programs will upgrade

Cross-Site Scripting: The Real WordPress Supervillain

Stored Cross-Site Scripting Vulnerability in WordPress 4.8.1

What is a Cross-Site Scripting (XSS) attack: Definition & Examples

WordPress XSS Attacks- How To Protect Your Website Explained

WordpreXSS Exploitation » Rainbow and Unicorn

The impact of an XSS vulnerability on WordPress: How hackers

10 Practical scenarios for XSS attacks

WordpreXSS Exploitation » Rainbow and Unicorn

TrustedSec Tricks for Weaponizing XSS

Toxssin - An XSS Exploitation Command-Line Interface And Payload

What is Cross-site Scripting and How Can You Fix it?

Patching an XSS Security Bug in add-comments Plugin - Patchstack