Set " <script>alert(document.domain)</script> as website name.
Fill other required fields with random values and save.
Then just visit the admin dashboard and the alert will fire.
Each time a target will visit the dashboard the payload will fire, even if the target is not logged in! Since the wesbite redirects to /admin/ presenting the login form, but the payload is reflected also there.
In order to test this, just click logout and reload the page.
Tested version: 8c2c8909 (latest)
Steps to reproduce the vulnerability:
" <script>alert(document.domain)</script>
as website name.Each time a target will visit the dashboard the payload will fire, even if the target is not logged in! Since the wesbite redirects to /admin/ presenting the login form, but the payload is reflected also there.
In order to test this, just click logout and reload the page.