A critical vulnerability has been identified in a premium WooCommerce plugin, "The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO". This flaw allows an unauthenticated attacker to upload malicious files to the server, which can lead to a complete website takeover. Successful exploitation could result in data theft, website defacement, and further attacks launched from the compromised server.

The vulnerability is an arbitrary file upload due to improperly configured validation of file types. An attacker can bypass the plugin's file upload restrictions and upload a script file (e.g., a PHP web shell) disguised as a legitimate file type, such as an image. Once the malicious file is on the server in a web-accessible directory, the attacker can execute it by simply navigating to its URL, resulting in remote code execution (RCE) on the web server.

This vulnerability is rated as critical with a CVSS score of 9.8, reflecting the high potential for severe damage. A successful exploit grants an attacker complete control over the affected website and underlying server. The potential business impact includes the theft of sensitive data such as customer personal information and payment details, significant financial loss from business disruption and regulatory fines (PCI-DSS, GDPR), and severe reputational damage. The compromised server could also be used to host malware, launch phishing campaigns, or attack other systems on the network.

Immediate Action: The primary and most effective remediation is to immediately update "The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium)" plugin to the latest patched version as recommended by the vendor. After patching, it is crucial to monitor systems for any signs of exploitation and thoroughly review web server access logs for suspicious file upload attempts or requests to unexpected files.

Proactive Monitoring: Monitor web server access and error logs for POST requests to the plugin's file upload endpoints that contain suspicious file names (e.g., .php, .phtml). Use a File Integrity Monitoring (FIM) solution to alert on the creation of new, unexpected executable files in web directories. Network traffic should be monitored for unusual outbound connections from the web server, which could indicate a command-and-control channel.

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Use a Web Application Firewall (WAF) with rules specifically designed to block malicious file uploads by inspecting file extensions and content types.
• If possible, disable the file upload functionality within the plugin until it can be patched.
• Harden the web server configuration to prevent script execution within the uploads directory.

Public Exploit Available: false

This is a critical vulnerability that exposes the organization to complete system compromise. We strongly recommend that all administrators immediately apply the vendor-supplied patch to all websites using the affected WooCommerce plugin. While this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its high severity score warrants immediate action. This remediation effort should be treated with the highest priority to prevent potential data breaches, financial loss, and reputational harm.