A high-severity vulnerability has been identified in the ProjectList plugin for WordPress, allowing for arbitrary file uploads. An attacker could exploit this flaw to upload malicious files, such as a web shell, which could lead to a complete compromise of the affected website, data theft, and further attacks originating from the compromised server. Immediate patching or removal of the vulnerable plugin is required to mitigate this critical risk.

The ProjectList plugin for WordPress is vulnerable to an arbitrary file upload. The vulnerability exists because the file upload functionality within the plugin fails to properly validate the types of files being uploaded. An attacker can bypass any client-side checks and upload a file with a malicious extension (e.g., .php, .phtml). Once uploaded, the attacker can access the file via its URL on the server, triggering its execution and achieving remote code execution (RCE) within the security context of the web server process.

This vulnerability is rated as High severity with a CVSS score of 7.2. Successful exploitation could have a significant negative impact on the business. An attacker achieving remote code execution can gain complete control over the web application and underlying server, leading to severe consequences such as:

• Data Breach: Theft of sensitive information, including customer data, user credentials, and intellectual property.
• System Compromise: The server could be used to host malware, launch attacks against other internal or external systems, or be added to a botnet.
• Reputational Damage: Website defacement or loss of customer trust due to a security incident can cause lasting harm to the organization's reputation.
• Business Disruption: The need to take the website offline for investigation and remediation can result in financial loss and operational downtime.

Immediate Action:

• Update: Immediately update the ProjectList plugin to the latest version provided by the vendor, which addresses this vulnerability.
• Review and Remove: If the plugin is not essential for business operations, the most secure course of action is to disable and completely remove it from the WordPress installation.
• Verify Security Settings: Review WordPress file upload permissions and security configurations to ensure they adhere to best practices.

Proactive Monitoring:

• Log Analysis: Monitor web server access logs for suspicious POST requests to the plugin's file upload endpoints, especially those involving files with executable extensions (.php, .sh, .phtml). Also, search for subsequent GET requests to these uploaded files.
• File Integrity Monitoring (FIM): Implement FIM on the web server to detect the creation of new, unexpected files in web-accessible directories, particularly the wp-content/uploads folder.
• Network Traffic Analysis: Monitor for unusual outbound connections from the web server, which could indicate a successful compromise and communication with a command-and-control (C2) server.

Compensating Controls:

• Web Application Firewall (WAF): Configure a WAF with rules to inspect file uploads and block requests containing files with suspicious or executable extensions.
• File Permissions: Harden server file permissions to prevent files in the upload directory from being executed.
• Disable Execution: Configure the web server to explicitly deny script execution in the directories used for file uploads.

Public Exploit Available: false

Given the High severity (CVSS 7.2) and the potential for complete system compromise via remote code execution, this vulnerability poses a critical risk to the organization. It is strongly recommended that all WordPress instances be audited to identify the presence of the ProjectList plugin. All vulnerable instances must be patched immediately by updating to the latest version. While this CVE is not currently on the CISA KEV list, its high impact makes it a priority for remediation. If the plugin's functionality is not critical, disabling and removing it is the most effective method to permanently eliminate this attack vector.