Rest Nonce

The rest nonce can be apart of additional chained exploitation. This is, broadly speaking, a 1-time CSRF-token.

Exploitation

As an authenticated user, the following GET request may be used to generate a new REST nonce token to be chained in other exploits:

/wp-admin/admin-ajax.php?action=rest-nonce

This nonce value is sometimes reflected in the response header:

X-Wp-Nonce: 5bbcde1e4e