A critical vulnerability has been identified in the PostGallery plugin for WordPress, which could allow an unauthenticated attacker to upload malicious files to a target website. Successful exploitation of this flaw could lead to a complete server compromise, enabling attackers to steal sensitive data, deface the website, or launch further attacks against the organization's network. Due to the high severity and potential for full system takeover, immediate remediation is strongly advised.

The vulnerability exists due to improper file type validation within the 'PostGalleryUploader' class of the PostGallery plugin. An attacker can bypass the file type checks by crafting a special request to upload a file with a malicious extension, such as a PHP script. The server will incorrectly accept and store this file in a web-accessible directory, allowing the attacker to execute it by simply navigating to the file's URL. This provides the attacker with a webshell, enabling arbitrary code execution on the server with the permissions of the web server user.

This vulnerability is rated as High severity with a CVSS score of 8.8. A successful exploit could lead to a complete compromise of the web server hosting the WordPress site. The potential consequences include theft of sensitive company or customer data, website defacement leading to reputational damage, and the installation of malware to attack site visitors. Furthermore, a compromised server could be used as a pivot point to launch attacks against other systems within the corporate network, posing a significant risk to the entire organization.

Immediate Action:

• Immediately identify all WordPress instances using the PostGallery plugin and update it to the latest patched version provided by the vendor.
• If the plugin is not essential for business operations, the recommended course of action is to disable and completely remove it to eliminate this attack vector.

Proactive Monitoring:

• Monitor web server access logs for suspicious POST requests to the plugin's upload functionality, specifically looking for attempts to upload files with executable extensions (e.g., .php, .phtml, .sh).
• Implement File Integrity Monitoring (FIM) to alert on the creation of new, unexpected files in the WordPress uploads directory.
• Monitor for unusual outbound network connections from the web server, which could indicate a reverse shell or data exfiltration.

Compensating Controls:

• Deploy a Web Application Firewall (WAF) with rules designed to inspect file uploads and block requests containing executable file types.
• Harden web server configurations to disable script execution (e.g., PHP) within the uploads directory.
• Enforce strict file permissions on the web server to ensure that uploaded files cannot be executed by the server process.

Public Exploit Available: False (as of December 4, 2025)

This vulnerability represents a critical risk to the organization's web presence and underlying infrastructure. Given the high CVSS score of 8.8 and the typical ease of exploiting arbitrary file upload flaws, immediate action is required. All teams managing WordPress sites must prioritize updating the PostGallery plugin or removing it if it is no longer needed. Although this CVE is not currently on the CISA KEV list, its high severity and potential for full server compromise warrant treating it with the same level of urgency as a known exploited vulnerability.