Reference: https://www.pluginvulnerabilities.com/2017/04/20/arbitrary-file-upload-vulnerability-in-woocommerce-catalog-enquiry/ The following proof of concept will upload the selected file to the directory /wp-content/uploads/catalog_enquiry/. Make sure to replace “[path to WordPress]” with the location of WordPress.