An unauthenticated arbitrary file upload vulnerability in the WordPress Plugin Download plugin allows attackers to achieve remote code execution by bypassing file extension restrictions.

This vulnerability occurs in the AJAX fileupload action. Unauthenticated attackers can manipulate the allowExt parameter to bypass security checks and upload executable PHP shells to the web root.

The CVSS score of 9.8 reflects the high probability of total system compromise. By uploading and executing malicious scripts, an attacker can gain administrative access, steal sensitive configuration data, or use the server as a node for further malicious activities.

Immediate Action: Update the Plugin Download plugin to the latest version immediately to ensure file extension validation is correctly enforced.

Proactive Monitoring: Monitor server logs for requests to admin-ajax.php that include the download_from_files_617_fileupload action and investigate any suspicious file modifications in the web root.

Compensating Controls: Configure file system permissions to prevent the web server user from executing files uploaded to the plugin's upload directory.

Public Exploit Available: Unknown

This vulnerability provides a straightforward path for attackers to gain execution privileges. Organizations must treat this as a high-priority update and verify that the plugin is fully patched to block unauthorized file uploads.