[mercantile.wordpress.org] Reflected XSS via AngularJS Template Injection

Hi, By injecting a crafted AngularJS payload into the `search` endpoint on the WordPress Swag Store, it was possible to achieve reflected XSS further to resolved report #221893. I came across a potential exploitation vector after noticing that a search query for `{{2*2}}` returned `4` in the site title response. ## Conditions Verified In * Firefox 52.0.3 – stable * Safari 10.1 – stable ## Proof of Concept URL ``` https://mercantile.wordpress.org/search/{{constructor.constructor('alert(document.domain)')()}} ``` ## Screenshot {F186517} Thanks!