Reference: https://www.pluginvulnerabilities.com/2016/09/19/arbitrary-file-upload-vulnerability-in-woocommerce-extra-fields/ The following proof of concept will upload the selected file to the directory /wp-content/uploads/product_files/ as upload.php. WooCommerce needs to be enabled for this to work. Make sure to replace “[path to WordPress]” with the location of WordPress.