## https://sploitus.com/exploit?id=WPEX-ID:58F72953-56D2-4D86-A49B-311B5FC58056
1. Add the following shortcode to a page:
[file_manager_advanced login="no" path="wp-content" hide="plugins" operations="upload,download" view="grid" theme="light" lang ="en" upload_allow="image/png" upload_max_size="2G"]
2. As an unauthenticated user, visit the page. Upload a PHP file and intercept the upload request.
3. Intercept the request and modify the POST parameter `upload_allow` to have the value `all`.
4. See that the PHP file was uploaded and can be accessed.