An unauthenticated arbitrary file upload vulnerability in the Baggage Freight Shipping Australia plugin allows attackers to achieve remote code execution.

The plugin's upload-package.php endpoint fails to validate file extensions, allowing unauthenticated attackers to upload malicious files directly to the server.

With a CVSS score of 9.8, this vulnerability allows for complete site compromise. An attacker can upload web shells to gain persistent access, leading to data breaches, unauthorized modifications, and the redirection of site traffic.

Immediate Action: Deactivate and remove the Baggage Freight Shipping Australia plugin if it is not strictly necessary; otherwise, check the vendor for the latest security update.

Proactive Monitoring: Scan the plugin's upload directory for executable scripts (e.g., .php files) that should not be present.

Compensating Controls: Use a WAF to block POST requests directed at the upload-package.php endpoint.

Public Exploit Available: Unknown

Due to the critical nature of unrestricted file upload vulnerabilities, immediate removal or patching of the affected plugin is mandatory to protect the WordPress environment from unauthorized code execution.