A high-severity vulnerability has been identified in the DocoDoco Store Locator plugin for WordPress, which could allow an unauthenticated attacker to take full control of an affected website. The flaw stems from the plugin's failure to properly validate uploaded files, enabling an attacker to upload and execute malicious code. This could lead to website defacement, data theft, or the use of the server for further malicious activities.

The vulnerability exists within the zip upload functionality of the DocoDoco Store Locator plugin. The application fails to validate the file types contained within an uploaded ZIP archive. An attacker can craft a malicious ZIP file containing a web shell (e.g., a PHP file) and upload it through the vulnerable endpoint. Upon processing, the server extracts the malicious file to a web-accessible directory, allowing the attacker to execute arbitrary code on the server with the privileges of the web server's user account.

This vulnerability is rated as High severity with a CVSS score of 7.2. Successful exploitation could lead to a complete compromise of the affected website and potentially the underlying server. The business impact includes, but is not limited to, theft of sensitive data (such as customer information or payment details), service disruption, reputational damage, and financial loss. The compromised website could also be used to host malware, launch phishing attacks, or serve as a pivot point for further attacks into the organization's network.

Immediate Action: Immediately update the DocoDoco Store Locator plugin to the latest patched version provided by the vendor. If the plugin is not essential for business operations, the recommended course of action is to deactivate and completely uninstall it to remove the attack surface.

Proactive Monitoring: Monitor web server logs for suspicious POST requests to the plugin's file upload endpoints. Implement file integrity monitoring to detect the creation of unexpected files (e.g., .php, .phtml) in web-accessible directories. Watch for unusual outbound network traffic from the web server, which could indicate a successful compromise.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) rule to block file uploads containing executable extensions within ZIP archives. Alternatively, restrict access to the plugin's administration and upload pages to trusted IP addresses only. Ensure file system permissions are hardened to prevent the web server process from executing scripts in upload directories.

Public Exploit Available: false

Given the high severity (CVSS 7.2) and the critical impact of a successful exploit (Remote Code Execution), it is strongly recommended that organizations take immediate action. While this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its potential for complete website compromise warrants an urgent response. All systems using the affected DocoDoco Store Locator plugin should be patched or have the plugin removed without delay to prevent potential compromise.