A critical vulnerability has been identified in The Flex QR Code Generator plugin for WordPress, rated with a CVSS score of 9.8. This flaw allows any unauthenticated attacker on the internet to upload malicious files directly to the web server. Successful exploitation could lead to a complete compromise of the website, resulting in data theft, service disruption, and the potential for the server to be used in further attacks.

The vulnerability exists within the update_qr_code() function of the plugin. This function lacks proper file type validation, meaning it does not check what kind of file is being uploaded. An unauthenticated attacker can send a specially crafted request to this function to upload a malicious file, such as a PHP web shell, disguised as a legitimate file. Once the malicious file is on the server, the attacker can access it via a web browser to execute arbitrary code with the permissions of the web server process, leading to a full system compromise.

This vulnerability is rated as critical severity with a CVSS score of 9.8. A successful exploit could have a devastating impact on the business. An attacker could gain complete control over the affected website and underlying server, leading to the theft of sensitive data, including customer information, payment details, and intellectual property. Further risks include website defacement, distribution of malware to visitors, significant reputational damage, and potential regulatory fines for data breaches. The server could also be used as a launchpad for further attacks against other internal or external systems.

Immediate Action: Immediately update The Flex QR Code Generator plugin to the latest version (1.2.7 or higher) which contains a patch for this vulnerability. After updating, verify that the new version is active and the vulnerability has been mitigated.

Proactive Monitoring:

• Log Analysis: Review web server access logs for suspicious POST requests to endpoints associated with the plugin. Look for attempts to upload files with extensions like .php, .phtml, or .phar.
• File System Monitoring: Implement file integrity monitoring to scan the web server's file system, particularly the WordPress uploads directory, for any unexpected or malicious files.
• Network Traffic: Monitor outbound network traffic from the web server for unusual connections, which could indicate a successful compromise and communication with a command-and-control server.

Compensating Controls: If patching is not immediately possible, consider the following controls:

• Disable the Plugin: Deactivate and disable The Flex QR Code Generator plugin until it can be safely updated.
• Web Application Firewall (WAF): Implement a WAF with rules specifically designed to block uploads of executable file types and to filter malicious requests targeting the vulnerable function.
• Harden Permissions: Ensure that web server file permissions are hardened to prevent the web process from writing files to non-essential directories and to prevent the execution of scripts in upload folders.

Public Exploit Available: true

Given the critical CVSS score of 9.8 and the existence of public exploit code, this vulnerability represents an immediate and severe threat. We recommend that organizations treat this as an emergency. All instances of The Flex QR Code Generator plugin must be updated to a patched version immediately. If an immediate update is not feasible, the plugin must be disabled to remove the attack vector. Due to the high probability of active and widespread exploitation, organizations should proactively hunt for signs of compromise even after applying the patch.