An unauthenticated arbitrary file upload vulnerability in the WordPress Plugin Peugeot Music allows attackers to execute malicious code on the server, posing a critical risk to site integrity.

The vulnerability exists in the upload.php endpoint, which fails to properly validate file extensions during the upload process. This allows unauthenticated attackers to upload and execute arbitrary files, including web shells, within the uploads directory.

Successful exploitation of this vulnerability leads to full server compromise, enabling attackers to execute arbitrary code, modify site content, or exfiltrate sensitive database information. Given the CVSS score of 9.8, this flaw represents a maximum-severity risk that could result in total service takeover and significant reputational damage.

Immediate Action: Update the WordPress Plugin Peugeot to the latest available version provided by the developer. If no patch exists, disable or remove the plugin immediately to neutralize the vector.

Proactive Monitoring: Review web server access logs for anomalous requests to the upload.php file and scan the /wp-content/uploads/ directory for suspicious script files.

Compensating Controls: Implement a Web Application Firewall (WAF) rule to block POST requests to the upload.php file from unauthorized sources or to restrict file types permitted in the upload directory.

Public Exploit Available: Unknown

This vulnerability is critical and requires immediate intervention to prevent unauthorized code execution. Administrators should prioritize patching or removing the plugin, as the lack of authentication makes this an easy target for automated exploitation tools.