A critical vulnerability has been identified in The Flex QR Code Generator plugin for WordPress, assigned a CVSS score of 9.8. This flaw allows an unauthenticated attacker to upload malicious files, such as web shells, to the server. Successful exploitation could result in a complete compromise of the affected website, leading to data theft, website defacement, and further attacks originating from the compromised server.

The plugin contains an arbitrary file upload vulnerability within the save_qr_code_to_db() function. This function fails to properly validate the file type of user-supplied uploads. An unauthenticated attacker can craft a request to this function to upload a malicious script (e.g., a PHP file) disguised as an image. Once the malicious file is on the server, the attacker can navigate to it, triggering its execution and gaining remote code execution capabilities on the underlying web server.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation can lead to a complete loss of confidentiality, integrity, and availability for the affected website and server. The business impact includes the potential for sensitive data exfiltration (customer data, internal documents), financial loss, significant reputational damage, and the use of the compromised server for malicious activities like hosting phishing sites or malware. This poses a severe risk to business operations and data security.

Immediate Action: Immediately update The Flex QR Code Generator plugin for WordPress to the latest version provided by the vendor, which addresses this vulnerability. After updating, verify that the new version is active and the vulnerability is resolved.

Proactive Monitoring: Review web server access logs for suspicious POST requests to plugin-related endpoints. Monitor the WordPress uploads directory for any non-image files (e.g., .php, .phtml, .sh). Implement file integrity monitoring to detect unauthorized changes to website files and directories.

Compensating Controls: If immediate patching is not feasible, consider the following controls:

• Disable and deactivate the plugin until it can be safely updated.
• Implement a Web Application Firewall (WAF) with rules to block the upload of executable file types.
• Configure the web server to disallow script execution in the uploads directory.

Public Exploit Available: true

Given the critical CVSS score of 9.8 and the availability of a public exploit, this vulnerability requires immediate attention. We strongly recommend that organizations identify all instances of The Flex QR Code Generator plugin and apply the vendor-supplied patch without delay. Although this CVE is not currently on the CISA KEV list, its severity warrants treating it as an actively exploited threat. After patching, a thorough review for indicators of compromise is advised to ensure the system was not breached prior to remediation.