A high-severity vulnerability exists within the Zegen Core plugin for WordPress that could allow an attacker to take full control of an affected website. By tricking a logged-in administrator into clicking a malicious link, an attacker can upload a malicious file to the server, leading to remote code execution. This can result in complete system compromise, data theft, and website defacement.

The vulnerability is a combination of two weaknesses: insufficient Cross-Site Request Forgery (CSRF) protection and unrestricted file upload. The plugin's file upload functionality lacks a security token (nonce) to verify that requests are legitimate and intentional. An attacker can craft a malicious webpage that, when visited by a logged-in administrator, will forge a request to the vulnerable WordPress site to upload a file of the attacker's choosing. Because the file upload function also fails to properly validate file types, the attacker can upload an executable script (such as a PHP web shell), granting them the ability to execute arbitrary code on the server.

This vulnerability is rated as High severity with a CVSS score of 8.8. Successful exploitation allows an attacker to achieve remote code execution on the web server, leading to a full compromise of the website and potentially the underlying server. The business impact includes the theft of sensitive data (customer information, payment details, intellectual property), reputational damage from website defacement or malware distribution, and the potential for the compromised server to be used as a pivot point for further attacks against the organization's internal network.

Immediate Action: Immediately update the Zegen Core plugin to the latest patched version provided by the vendor. If this plugin is not essential for business operations, the recommended course of action is to deactivate and completely remove it to eliminate the attack surface.

Proactive Monitoring: After patching, security teams should review web server access logs for unusual POST requests to the plugin's file upload endpoints. Monitor the WordPress upload directories for any suspicious or unexpected files (e.g., .php, .phtml, .sh). Implement file integrity monitoring (FIM) to alert on unauthorized changes to core WordPress files or plugin directories.

Compensating Controls: If immediate patching is not feasible, the following controls can help mitigate risk:

• Implement a Web Application Firewall (WAF) with rules designed to block malicious file uploads and detect common web shell signatures.
• Enforce strict file permissions on the web server's upload directories to prevent the execution of scripts.
• Ensure all administrative users log out of their WordPress sessions when they are not actively managing the site to reduce the window of opportunity for a CSRF attack.

Public Exploit Available: false

Due to the high CVSS score and the potential for complete system compromise via remote code execution, this vulnerability presents a critical risk to the organization. We strongly recommend that the immediate remediation actions be prioritized and completed without delay. Although this vulnerability is not currently listed on the CISA KEV catalog, its severity warrants immediate attention. After patching, a thorough review of the affected systems should be conducted to search for any indicators of prior compromise.