## https://sploitus.com/exploit?id=WPEX-ID:66616623-0C80-4B95-A8DE-5D7F8C6A57B3
The first endpoint we can identify is gathered from the website's URL (e.g., https://www.wordpress.com/) md5 hashed with the "-redux" suffix.
For example, for the above URL, the first endpoint will be: https://www.wordpress.com/wp-admin/admin-ajax.php?action=16a8ca2d7a9690742c2048ec7b7f0f56
Once you make a simple HTTP GET request to the first action, it will return the first part of the 2nd hash that we need for triggering the "support_args" method.
Take the hash returned from the first endpoint and md5 hash it with the "-support" suffix. This md5 hash endpoint can now be used to modify some of the plugin's settings (enable/disable logging).
For example: POST /wp-admin/admin-ajax.php?action=30cf1a163dd8a8787885585aee1e1973&redux_framework_disable_tracking=tru
Note that other parameters that can be passed in the URL are also pre-known to malicious actors, e.g., hash, i, and code.
Impact: An unauthenticated malicious actor can change the plugin's settings and possibly even make it print other sensitive information about the plugin.