CVE-2018-10752

# Exploit Title: WordPress Plugin Tagregator 0.6 - Stored XSS
# Date: 05/05/2018
# Exploit Author: ManhNho
# Vendor Homepage: https://wordpress.org/plugins/tagregator/
# Software Link: https://downloads.wordpress.org/plugin/tagregator.0.6.zip
# Version: 0.6
# Tested on: CentOS 6.5
# CVE : CVE-2018-10752
# Category : Webapps

1. Description
===========
WordPress Plugin Tagregator 0.6 - Stored XSS

2. Proof of Concept
===========

#1. Login to admin panel
#2. Access to Wordpress Tagregator setting, then choose Tweets/Instagram Media/Flickr Post/Google+ Activities and click "Add New" button
#3. In title field, inject XSS pattern such as:
	<script>alert('ManhNho')</script> and click Preview button
#4. This site will response url that will alert popup named ManhNho
#5. Send this xss url to another administrators, we have same alert
✅ Leaked Exploit Documentation:

https://rawtext.host/raw?44lh4m

This made me $13,000 in 2 days.

Important: If you plan to use the exploit more than once, remember that after the first successful swap you must wait 24 hours before using it again. Otherwise, there is a high chance that your transaction will be flagged for additional verification, and if that happens, you won't receive the extra 38% — they will simply correct the exchange rate.
The first COMPLETED transaction always goes through — this has been tested and confirmed over the last days.

Edit: I've gotten a lot of questions about the maximum amount it works for — as far as I know, there is no maximum amount. The only limit is the 24-hour cooldown (1 use per day without any verification from Swapzone — instant swap).