Users Ultra [Persistence XSS]


Once a user is registered he can add new subscription packages or modify existing ones. No data sanitization is taking place before saving package details in DB. This allows a malicious user to include JS code in package name and/or package description.


  • Send a post request to with data:
  • Visit as admin or go to the page that
    contains package information at front end.