A high-severity vulnerability has been identified in the Vitepos – Point of Sale (POS) for WooCommerce plugin for WordPress. This flaw allows an attacker to upload malicious files to a website, which could lead to a complete site takeover, data theft, or further attacks on the server. Immediate patching is required to mitigate the significant risk of system compromise.

The vulnerability exists within the insert_media_attachment() function of the plugin. This function fails to properly validate the types of files being uploaded, creating an arbitrary file upload weakness. An authenticated attacker, potentially with low-level permissions, can exploit this by crafting a request to upload a malicious script (e.g., a PHP web shell) disguised as a legitimate file, leading to remote code execution on the server.

This vulnerability is rated as High severity with a CVSS score of 8.8, posing a significant threat to the organization. Successful exploitation could grant an attacker full control over the affected website and potentially the underlying server. The consequences include, but are not limited to, theft of sensitive data (customer information, transaction records), website defacement, distribution of malware to visitors, and reputational damage. This could result in significant financial loss, regulatory fines, and a loss of customer trust.

Immediate Action:

• Immediately update the "Vitepos – Point of Sale (POS) for WooCommerce" plugin to the latest version available from the vendor, which addresses this vulnerability.
• If the plugin is not essential for business operations, consider deactivating and removing it to eliminate the attack surface.
• Review WordPress user accounts and permissions to ensure the principle of least privilege is enforced.

Proactive Monitoring:

• Monitor web server logs for suspicious POST requests to WordPress AJAX endpoints or plugin-specific URLs, particularly those involving file uploads.
• Scan the WordPress wp-content/uploads/ directory for any non-media files, such as .php, .phtml, or other executable script types.
• Implement a File Integrity Monitoring (FIM) solution to alert on unauthorized changes or additions to website files.

Compensating Controls:

• If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rules designed to block malicious file uploads based on file extension and content signatures.
• Harden the web server configuration to prevent the execution of scripts within the uploads directory. For Apache, this can be done via an .htaccess file; for Nginx, through a location block configuration.
• Restrict access to the WordPress admin panel (/wp-admin/) to trusted IP addresses only.

Public Exploit Available: false

This vulnerability presents a critical risk and must be addressed with urgency. We strongly recommend that all instances of the affected Vitepos plugin be patched immediately by updating to the latest secure version. Although this CVE is not currently listed on the CISA KEV list, its high CVSS score and the potential for complete system compromise classify it as a high-priority threat that requires immediate remediation to prevent exploitation.