Recently, I was looking at some WordPress plugins and found that it was a good place to practice because there are many plugins there, and each one has source code that can be viewed. You can do black-box or white-box testing, and installation is also very convenient.
This article will discuss a vulnerability I found a while ago, which uses the most basic and classic attack method, file upload leading to RCE.
Vulnerability ID: CVE-2022-27862
WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.5.3 - Arbitrary File Upload leading to RCE