A critical vulnerability has been identified in the "Easy Upload Files During Checkout" plugin for WordPress. This flaw allows an attacker to upload malicious JavaScript files to a website, bypassing security checks during the checkout process. Successful exploitation could lead to a complete compromise of the website, theft of sensitive customer data, and significant reputational damage.

The vulnerability exists within the file_during_checkout function, which handles file uploads. The function fails to properly validate the type of file being uploaded, allowing an attacker to upload files with arbitrary extensions, such as .js. An attacker could upload a malicious JavaScript file which, when accessed by an administrator or another user, would execute in their browser. This could lead to a persistent Cross-Site Scripting (XSS) attack, enabling the attacker to steal session cookies, perform actions on behalf of the logged-in user, or redirect users to malicious websites.

This vulnerability is rated as critical severity with a CVSS score of 9.8, posing a significant and immediate threat to the business. Exploitation can lead to a full site takeover if an attacker successfully steals an administrator's session token. The potential consequences include the theft of sensitive customer data processed during checkout, financial loss from fraudulent activities, severe reputational damage, and the cost of forensic investigation and recovery. A compromised website could also be used to launch further attacks or distribute malware to visitors, creating additional legal and financial liabilities.

Immediate Action: Immediately update the "Easy Upload Files During Checkout" plugin for WordPress to the latest patched version provided by the vendor. After patching, review server logs and the website's upload directories for any suspicious files (e.g., .js, .html) that may have been uploaded prior to the update and remove them.

Proactive Monitoring: Monitor web server access logs for unusual POST requests to the file upload endpoint, particularly those involving files with scriptable extensions. Implement file integrity monitoring on the web server to detect unauthorized changes to plugin files or the creation of new, unexpected files in web-accessible directories.

Compensating Controls: If patching is not immediately possible, consider the following mitigating actions:

• Implement a Web Application Firewall (WAF) with strict rules to block the upload of files with dangerous extensions like .js, .php, and .html.
• Temporarily disable the file upload feature within the plugin's settings until the patch can be applied.
• Configure the web server to prevent the execution of scripts within the designated upload directory.

Public Exploit Available: False

Given the critical CVSS score of 9.8, this vulnerability requires immediate attention. Organizations using the affected WordPress plugin must prioritize applying the security update without delay. Although this CVE is not currently listed on the CISA KEV catalog, its high severity and potential for widespread impact make it a prime candidate for future inclusion. Proactive patching is the most effective defense against potential website compromise and the associated business risks.