## https://sploitus.com/exploit?id=WPEX-ID:4423B023-CF4A-46CB-B314-7A09AC08B29A
Upload an allowed WordPress extension such as JPG and inject it with a script such as: <script>alert(1);</script>. To access the resource, the uploaded file ID can be seen in the source code of the (Preview) button under data-file-url as such: /shared-files/{FILE_ID}/?xss.jpg and can be triggered using HTTP://url.com/shared-files/{FILE_ID}/?xss.jpg