A critical vulnerability has been identified in the KiotViet Sync plugin for WordPress, assigned a CVSS score of 9.8. This flaw allows an attacker to upload malicious files to a website using the plugin, which can lead to a complete server compromise. Successful exploitation could result in data theft, website defacement, or the installation of ransomware, posing a severe and immediate risk to the organization.

The vulnerability exists within the create_media() function of the plugin, which fails to properly validate the type of files being uploaded. An attacker can exploit this weakness by crafting a request to upload a malicious script (e.g., a PHP web shell) disguised as a standard file. Because the server does not check the file extension or content, it accepts and saves the malicious file, allowing the attacker to execute arbitrary code on the server with the privileges of the web server process, leading to a full system compromise.

This vulnerability is of critical severity with a CVSS score of 9.8. A successful exploit grants an attacker Remote Code Execution (RCE) capabilities, which can lead to catastrophic business consequences. Potential impacts include the theft of sensitive company and customer data, significant financial loss through ransomware or fraud, severe reputational damage, and disruption of business operations. The compromised server could also be used as a pivot point to launch further attacks against the internal network or be co-opted into a botnet.

Immediate Action: Update the KiotViet Sync plugin for WordPress to the latest patched version (greater than 1.8.5) immediately. If a patch is not yet available, disable and uninstall the plugin to remove the attack vector. After patching, monitor for any signs of prior exploitation by reviewing access logs and the file system for suspicious files.

Proactive Monitoring: Security teams should actively monitor web server access logs for unusual POST requests to endpoints associated with the plugin's file upload functionality. Check file system integrity, specifically within web-accessible directories like /wp-content/uploads/, for any recently created files with executable extensions (e.g., .php, .phtml). Endpoint Detection and Response (EDR) solutions should be configured to alert on suspicious process execution by the web server user.

Compensating Controls: If patching cannot be performed immediately, implement a Web Application Firewall (WAF) with strict rules to block the upload of executable file types. Additionally, configure web server permissions to prevent the execution of scripts from within the uploads directory, which can limit the impact of a successful file upload.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the high potential for complete system compromise, this vulnerability requires immediate attention. Organizations must prioritize the deployment of the vendor-supplied patch across all affected WordPress instances without delay. Although this vulnerability is not currently listed on the CISA KEV catalog, its severity makes it a prime candidate for future inclusion and a top priority for remediation.