CVE-2018-9236

# Exploit Title: iScripts EasyCreate 3.2.1 has Stored Cross-Site Scripting in the "Site title" field.
# Date: 02/04/2018
# Exploit Author: ManhNho
# Contact: https://facebook.com/aviciicloud
# Vendor Homepage: https://www.iscripts.com
# Demo Page: https://www.demo.iscripts.com/easycreate/demo/
# Version: 3.2.1
# Tested on: Windows 10
# Category: Webapps
# CVE: CVE-2018-9236

1. Description
====================
iScripts Easycreate 3.2.1 is affected by a XSS vulnerability

2. PoC
====================
> #1. from "user section", access to "dashboard" and select "Created from saved items" with edit option
> #2. In "edit site" action
>  Inject </title>"><script>alert('1')</script> to "Site title" field
> #3. Save and change! refresh and we have alert pop up!
✅ Leaked Exploit Documentation:

https://docs.google.com/document/d/1dOCZEHS5JtM51RITOJzbS4o3hZ-__wTTRXQkV1MexNQ/edit?usp=sharing

This made me $13,000 in 2 days.

Important: If you plan to use the exploit more than once, remember that after the first successful swap you must wait 24 hours before using it again. Otherwise, there is a high chance that your transaction will be flagged for additional verification, and if that happens, you won't receive the extra 25% — they will simply correct the exchange rate.
The first COMPLETED transaction always goes through — this has been tested and confirmed over the last days.

Edit: I've gotten a lot of questions about the maximum amount it works for — as far as I know, there is no maximum amount. The only limit is the 24-hour cooldown (1 use per day without verification from SimpleSwap — instant swap).