The plugin does not prevent administrators from running arbitrary commands on the server in multisite installations, where only super-administrators should.

PoC

Use any WordPress plugin that allows the users to upload files with extension - “.php” is not required - for example: .jpg (usually many plugins allows such extensions) # Upload your malicious file, for example: test_rce.jpg with the following content: # Go to “DB Options” under WP-DBManager plugin # Define the below payload as “Path To mysqldump” parameter’s value: /usr/bin/php /var/www/blog/test_rce.jpg # Go to “Backup DB” and click on “Backup” button # Command will get executed without any issues