A critical vulnerability exists in "The File Uploader for WooCommerce" WordPress plugin that allows unauthenticated attackers to upload arbitrary files to the server. This flaw can be exploited to achieve remote code execution, potentially leading to a complete compromise of the affected website, data theft, and further attacks originating from the compromised server.

The plugin exposes a REST API endpoint, 'add-image-data', which is intended to handle image uploads. This endpoint's callback function fails to validate the type of file being uploaded. An unauthenticated attacker can abuse this flaw by sending a request to the endpoint, causing the plugin to fetch a malicious file (e.g., a PHP web shell) from the external Uploadcare service and save it onto the local server, leading to potential remote code execution.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a full server compromise, allowing an attacker to steal sensitive customer data, deface the website, install malware, or use the server to launch further attacks. The direct business impact includes significant reputational damage, financial loss from business disruption, potential regulatory fines for data breaches, and the high cost of incident response and system recovery.

Immediate Action: Immediately update "The File Uploader for WooCommerce" plugin to the latest patched version (greater than 1.0.3). If an update is not available, disable and uninstall the plugin until a secure version is released. After patching, review server logs for any signs of exploitation.

Proactive Monitoring: Monitor web server access logs for POST requests to the REST API endpoint /wp-json/file-uploader/v1/add-image-data. Scrutinize the web server's file system, particularly WordPress upload directories, for any suspicious or non-image files (e.g., files with .php, .phtml extensions). Monitor for unexpected outbound network traffic from the server, especially to file-sharing services like Uploadcare.

Compensating Controls: If patching is not immediately possible, implement the following controls:

• Use a Web Application Firewall (WAF) to create a rule that blocks all access to the vulnerable endpoint (/wp-json/file-uploader/v1/add-image-data).
• Configure the web server to prevent the execution of scripts (e.g., PHP) in the uploads directory.
• Temporarily disable the plugin until it can be safely updated.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the ability for unauthenticated attackers to gain remote code execution, this vulnerability poses an immediate and severe threat to any internet-facing site using the affected plugin. We strongly recommend that organizations take immediate action to apply the vendor-supplied patch or disable the plugin. Although this CVE is not currently on the CISA KEV list, its characteristics make it a prime candidate for future inclusion. A proactive compromise assessment should be considered to search for evidence of prior exploitation.