Hello,
You can bypass the “validation” of the drop down list, just POSTing with some tool/manually the string that you want, for example, with simple curl command. You only need the correct wp-admin SESSION to do that.
As you said, it’s only in the wordpress administration, but what happend if the mysql user is root? You can read contents from another databases, or file systems or maybe, run commands in the OS. Remember in wordpress there are others kinds of users like editors, contributors, etc.
Regards
