A critical vulnerability has been identified in the AIT CSV import/export plugin for WordPress, assigned CVE-2020-36849. This flaw allows an unauthenticated attacker to upload malicious files directly to the web server, which can be used to execute arbitrary code. Successful exploitation could lead to a complete compromise of the affected website, resulting in data theft, service disruption, and further unauthorized access to the network.

The vulnerability is an Arbitrary File Upload flaw within the AIT CSV import/export WordPress plugin. The specific weakness is located in the upload-handler.php script, which fails to properly validate the type of file being uploaded. An attacker can exploit this by sending a crafted request to the upload handler, bypassing the intended CSV file restriction and instead uploading a malicious script, such as a PHP web shell. Once the malicious file is on the server, the attacker can navigate to it via a web browser to execute arbitrary code with the permissions of the web server process, leading to full remote code execution (RCE).

This vulnerability is rated as critical severity with a CVSS score of 9.8, indicating a high potential for significant business disruption. Exploitation can lead to a complete system compromise, allowing an attacker to steal sensitive data such as customer information, user credentials, and proprietary business data. Further consequences include website defacement, hosting of malware or phishing pages which damages brand reputation, and using the compromised server as a foothold to launch further attacks against the internal corporate network. The potential financial, reputational, and operational costs associated with a breach of this nature are severe.

Immediate Action: Immediately update The AIT CSV Multiple Products plugin to the latest version provided by the vendor to patch the vulnerability. Before and after patching, thoroughly review web server access logs and file systems for any indicators of compromise, such as unexpected PHP files in upload directories or unusual POST requests to the upload-handler.php file.

Proactive Monitoring: Implement continuous monitoring of web server logs, specifically watching for requests to /wp-content/plugins/ait-csv-import-export/admin/upload-handler.php that involve non-CSV file types (e.g., .php, .phtml, .php5, .phar). Utilize a File Integrity Monitoring (FIM) solution to alert on the creation of new, unauthorized files in web-accessible directories. Monitor for suspicious outbound network traffic from the web server, which could indicate a command-and-control channel from a web shell.

Compensating Controls: If patching cannot be performed immediately, disable the AIT CSV import/export plugin to remove the attack vector. Alternatively, deploy a Web Application Firewall (WAF) with rules configured to block file uploads containing executable extensions. As a further hardening measure, ensure that the web server is configured to prevent script execution in directories where uploads are stored.

Public Exploit Available: True

Given the critical CVSS score of 9.8 and the availability of a public exploit, this vulnerability represents an immediate and severe risk to the organization. We recommend that remediation be treated with the highest priority. All instances of the affected AIT CSV plugin must be updated without delay. Following the update, a compromise assessment is strongly advised to hunt for any pre-existing malicious activity. Do not wait for evidence of active exploitation to act.