Cross-Site Scripting (XSS) Skills Assessment

Hi there, I am facing troubles with final assessment.
I want to identify proper payload for comment field, but it do not accept my comment event if I tested it before.
The madness is there in case after assessment server restart I cannot reproduce the same comment which previously worked for preview.
I also did not received any duplication message.

Thanks for any kind of help.


Is the comment field the only one you are trying to exploit?

I tried all of them.
Also set local env with wp in same version.
but still nothing :frowning:

Am I considering it correctly when I am expecting that admin is refreshing wp-admin/edit-comments.php ? so XSS has to be reflected to html rendering on this page.

I was able to print there complete html tags but they where only printed as a text and not considered as function elements.

email was the only field which I was not able to manipulate at all.

You are correct that the admin plays a part in it, but I think you are going down a rabbit hole. When you submit a regular comment, note that it sends a message saying that the admin must review the comment before it gets posted.

That means the goal is to attack the admin who is reviewing your comment. Don’t bother with the email field. If that hasn’t given you any ideas, then give the Session Hijacking section another read then start fresh on the Skills Assessment.

DM me if you are still stuck.

here is my big learning form this easy lab.


@onthesauce Thanks you pointing me back to get test previous hijacking lab

– spoiler → setup local env for this lab is Alice’s way to ■■■■