Reference: https://www.pluginvulnerabilities.com/2017/04/21/cross-site-request-forgery-csrfarbitrary-file-upload-vulnerability-in-thecartpress/ The following proof of concept will upload the selected file to the directory /wp-content/plugins/dop-slider/uploads/. Make sure to replace “[path to WordPress]” with the location of WordPress.