An unauthenticated arbitrary file upload vulnerability in the WordPress MStore API enables remote code execution, posing a critical threat to server integrity.

This is an unauthenticated arbitrary file upload vulnerability within the REST API endpoint. Attackers can submit crafted POST requests to the config_file endpoint to upload malicious PHP files and execute arbitrary code.

With a CVSS score of 9.8, this vulnerability represents a critical risk of full system compromise. Successful exploitation grants attackers remote code execution capabilities, allowing for complete control over the web server, data exfiltration, and the ability to pivot into the internal network.

Immediate Action: Update the MStore API to the latest patched version available from the vendor.

Proactive Monitoring: Inspect the web server's upload directories and system logs for unexpected PHP files or unauthorized POST requests targeting the REST API.

Compensating Controls: Implement a Web Application Firewall (WAF) rule to block POST requests containing executable file extensions directed at the REST API endpoints.

Public Exploit Available: Unknown

The critical nature of this remote code execution vulnerability requires immediate attention. Administrators must verify their MStore API version and apply updates immediately to prevent potential server takeover.