1. Add the following shortcode to a page:

[file_manager_advanced login="no" path="wp-content" hide="plugins" operations="upload,download" view="grid" theme="light" lang ="en" upload_allow="image/png" upload_max_size="2G"]

2. As an unauthenticated user, visit the page. Upload a PHP file and intercept the upload request.
3. Intercept the request and modify the POST parameter `upload_allow` to have the value `all`.
4. See that the PHP file was uploaded and can be accessed.