CarSpot Theme <= 2.1.6 – Authenticated Stored XSS

Proof of Concept
Authorize on the demo website for tests:, login is and passowrd is asdasd. If this account will be deleted, simply create a new one, it's easy. On the profile page there is one vulnerable input field w/o filering: «Phone Number». Fill in your payload, f.e. <script>alert('QUIXSS')</script> and save this changes. After that, on each page where data from your profile is loading you'll see saved payload in action.