How to craft an XSS payload to create an admin user in Wordpress

What I'll go through in this post is exactly how to capitalize on a particular (old) Wordpress plugin vulnerability to deliver a persistent XSS injection (not logged into Wordpress) that will later be executed by someone logged into Wordpress with higher privileges, such as an administrator.

WordPress XSS Attack, Symptoms, Example

TrustedSec Scraping Login Credentials With XSS

TrustedSec Tricks for Weaponizing XSS

WordPress XSS Attack (Cross Site Scripting) - How To Prevent?

TrustedSec Tricks for Weaponizing XSS

How to Fix and Prevent XSS Attacks in WordPress - IsItWP

WordPress 5.8.2 Stored XSS Vulnerability

XSS (Cross Site Scripting) Part 1 – What is XSS? – simpleisbest.co.uk

A stored cross-site scripting (XSS) vulnerability exists in

The impact of an XSS vulnerability on WordPress: How hackers

GitHub - hoodoer/WP-XSS-Admin-Funcs: JavaScript functions intended

Stored XSS Vulnerability found in Strong Testimonials Plugin

Technical write-up on CVE-2022-2753

53973 (WordPress <= 5.8 - Authenticated Persistent XSS (User role

WordpreXSS Exploitation » Rainbow and Unicorn