A high-severity vulnerability has been identified in the "AIO Forms – Craft Complex Forms Easily" plugin for WordPress. This flaw allows an unauthenticated attacker to upload malicious files to the server, which could lead to a complete website takeover. Successful exploitation could result in data theft, website defacement, or the server being used for further malicious activities.

The vulnerability exists within the plugin's form import functionality. The import process fails to properly validate the types of files being uploaded, creating an arbitrary file upload vulnerability. An attacker can exploit this by crafting a malicious file (e.g., a PHP web shell) and uploading it through the import feature, bypassing security checks. Once the malicious file is on the server, the attacker can access it via a web browser to execute arbitrary code, granting them control over the website and underlying server.

This vulnerability is rated as High severity with a CVSS score of 7.2, posing a significant risk to the organization. Successful exploitation can lead to a full compromise of the affected website. Potential consequences include theft of sensitive data (customer information, user credentials, proprietary data), website defacement causing reputational damage, and financial loss from business disruption or recovery costs. The compromised server could also be used as a pivot point to attack other internal network resources or be integrated into a botnet for launching attacks against other targets.

Immediate Action: Immediately update the "AIO Forms – Craft Complex Forms Easily" plugin to the latest version available from the vendor, which addresses this vulnerability. If the plugin is not essential for business operations, consider deactivating and removing it entirely to eliminate the attack surface.

Proactive Monitoring: Monitor web server access logs for suspicious POST requests to the plugin's import endpoint and look for uploads of unexpected file types (e.g., .php, .phtml, .php5). Check the server's file system for any unauthorized files, particularly in the WordPress uploads directory or plugin-specific folders. Monitor for unusual outbound network connections from the web server, which could indicate a successful compromise and command-and-control communication.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules designed to detect and block attempts to upload executable file types. Additionally, configure web server file permissions to prevent script execution in directories where uploads are stored. Consider disabling the plugin's import functionality if it is not actively used.

Public Exploit Available: false

Given the high severity (CVSS 7.2) and the critical impact of a successful exploit, it is strongly recommended that organizations prioritize patching this vulnerability immediately. All WordPress sites using the "AIO Forms – Craft Complex Forms Easily" plugin should be updated without delay. After applying the update, conduct a security audit of the web server to search for any indicators of compromise that may have occurred prior to remediation.