Authored by Rachit Arora

WordPress Admin Bar and Dashboard Access Control plugin version 1.28 suffers from a persistent cross site scripting vulnerability.

advisories | CVE-2023-47184

# Exploit Title:  WordPress Plugin Admin Bar & Dashboard Access Control Version: 1.2.8 - "Dashboard Redirect" field  Stored Cross-Site Scripting (XSS)
# Google Dork: NA
# Date: 28/10/2023
# Exploit Author: Rachit Arora
# Vendor Homepage:
# Software Link:
# Version: 1.2.8
# Category: Web Application
# Tested on: Windows
# CVE : 2023-47184

1. Install WordPress (latest)

2. Install and activate Admin Bar & Dashboard Access Control.

3. Navigate to "Admin Bar & Dash" >> Under Dashboard Access and in the "Dashboard Redirect" enter the payload into the input field.


4. You will observe that the payload successfully got stored and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.