How to craft an XSS payload to create an admin user in Wordpress

What I'll go through in this post is exactly how to capitalize on a particular (old) Wordpress plugin vulnerability to deliver a persistent XSS injection (not logged into Wordpress) that will later be executed by someone logged into Wordpress with higher privileges, such as an administrator.

Cross-Site Scripting (XSS): Exploiting XSS vulnerabilities

WordPress XSS Attacks- How To Protect Your Website Explained

How to Fix and Prevent XSS Attacks in WordPress - IsItWP

How to Fix and Prevent XSS Attacks in WordPress - IsItWP

WordpreXSS Exploitation » Rainbow and Unicorn

GitHub - hoodoer/WP-XSS-Admin-Funcs: JavaScript functions intended

Luke (hakluke) Stephens on LinkedIn: Some programs will upgrade

Exploring XSS Attack: My Approaches, Techniques, and Mitigation

How to Fix and Prevent XSS Attacks in WordPress - IsItWP