An issue was discovered in the Divi Builder plugin, Divi theme, and Divi Extra theme before 4.5.3 for WordPress. Authenticated attackers, with contributor-level or above capabilities, can upload arbitrary files, including .php files. This occurs because the check for file extensions is on the client side.
WordPress 6.5.x
Exploit
CVE-2020-35945
NVD
Refer to CVE-2020-35945 NVD advisory