A critical remote code execution vulnerability in the WordPress Background Image Cropper plugin allows unauthenticated attackers to compromise the host server via arbitrary file uploads.

The plugin contains an insecure file upload vulnerability in the ups.php endpoint. Unauthenticated attackers can leverage this endpoint to upload malicious PHP files, which are then stored and executable on the server.

This vulnerability carries a CVSS score of 9.8, indicating a critical severity level. Successful exploitation results in complete server compromise, allowing attackers to read, modify, or delete sensitive application data and potentially pivot into the wider network infrastructure.

Immediate Action: Update the Background Image Cropper plugin to the latest version immediately to address the insecure endpoint.

Proactive Monitoring: Review server logs for suspicious POST requests directed at ups.php and examine the plugin directory for unauthorized file modifications or new script uploads.

Compensating Controls: Utilize a WAF to restrict access to the ups.php file and implement strict file type validation and execution restrictions on the plugin's upload directory.

Public Exploit Available: Unknown

The ease of exploitation for this remote code execution flaw necessitates immediate action. Administrators must update the plugin and verify the integrity of the WordPress installation to ensure no unauthorized files remain on the system.