There is a PoC on GitHub too now - it improves my findings by directly invoking the session corresponding to the saved object so you don't have to wait for periodic refreshes:
Edit: Wallarm published an update showing that exploit traffic was detected before a PoC was public. Problem is my writeup&PoC was published well before their detection :P