The plugin does not validate the imported file, allowing high-privilege users such as admin to upload arbitrary files (such as PHP) even when FILE_MODS and FILE_EDIT are disallowed.
1. Navigate to: Appearance >Import Demo Content > Theme Demo Importer > Manually upload the demo files 2. Use the XML file import option to upload a PHP file containing this content: 3. Find the file at https://example.com/wp-content/uploads/YYYY/MM/your-file.php