# Exploit Title: WordPress Plugin Admin Bar & Dashboard Access Control Version: 1.2.8 - "Dashboard Redirect" field Stored Cross-Site Scripting (XSS)# Google Dork: NA# Date: 28/10/2023# Exploit Author: Rachit Arora# Vendor Homepage: # Software Link: https://wordpress.org/plugins/admin-bar-dashboard-control/# Version: 1.2.8# Category: Web Application# Tested on: Windows# CVE : 2023-471841. Install WordPress (latest)2. Install and activate Admin Bar & Dashboard Access Control.3. Navigate to "Admin Bar & Dash">> Under Dashboard Access andin the "Dashboard Redirect" enter the payload into the input field.
"onfocusin=alert``+autofocus>
"onfocusin=alert`document.domain`+autofocus>4. You will observe that the payload successfully got stored and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.
