# Exploit Title: WordPress Plugin Coru LFMember - Stored Cross Site Scripting # Date: 26-04-2022 # Exploit Author: Mariam Tariq - HunterSherlock # Vendor Homepage: https://wordpress.org/plugins/Coru LFMember/ # Version: 1.0.2 # Tested on: Firefox # Contact me: mariamtariq404@gmail.com # Vulnerable Code: ``` ``` # POC 1. Install the Coru LFMember WordPress plugin and activate it. 2. Go to LFMember -> Add New and inject XSS payload “> in the fields given i.e, Game Image Name, Game Short Name, Game Long Name, Game Description, and Links to. 3. XSS will trigger and will be stored. ## POC Image https://imgur.com/kZDtIVz