Description: File upload vulnerability in WBCE v.1.6.1 allows a local attacker to upload a pdf file with hidden XSS.
Attack Vectors: A vulnerability in Media file upload sanitation allows you to upload a PDF file with hidden XSS.
When logging into the panel, we will go to the "Media" section off General Menu.
We upload the PDF file with the hidden XSS and we see that we can execute it and the Reflected XSS appears.
https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html