A high-severity vulnerability has been discovered in the Modula Image Gallery plugin for WordPress, assigned a CVSS score of 7.5. This flaw allows an attacker to upload malicious files to a website's server, which can lead to a complete site takeover, theft of sensitive data, and further attacks against the organization's network. Immediate patching is required to mitigate the risk of compromise.

The vulnerability exists within the ajax_unzip_file function of the Modula Image Gallery plugin. The function fails to properly validate the file types contained within an uploaded ZIP archive. An authenticated or unauthenticated attacker (depending on the plugin's configuration) can craft a malicious ZIP file containing an executable script, such as a PHP web shell, and upload it. When the server processes and unzips the archive, the malicious file is extracted onto the server in a web-accessible directory, allowing the attacker to execute arbitrary code with the permissions of the web server.

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation can lead to Remote Code Execution (RCE), resulting in a complete compromise of the affected website. The potential business impacts include, but are not limited to, a significant data breach involving customer or corporate information, reputational damage from website defacement or malware distribution, and financial losses due to operational disruption and incident response costs. A compromised web server can also be used as a pivot point to launch further attacks against internal network resources.

Immediate Action: Immediately update the Modula Image Gallery plugin to the latest patched version as recommended by the vendor. After updating, review all WordPress security settings to ensure they are configured according to best practices. If the plugin is no longer required for business operations, consider deactivating and uninstalling it to reduce the overall attack surface.

Proactive Monitoring: Review web server access logs for unusual POST requests to WordPress AJAX endpoints, specifically targeting the ajax_unzip_file function. Implement file integrity monitoring (FIM) to detect the creation of unexpected files (e.g., .php, .phtml) in the WordPress uploads directory. Monitor for anomalous outbound network traffic from the web server, which could indicate a connection to a command-and-control server.

Compensating Controls: If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rules to inspect and block file uploads containing suspicious file extensions within ZIP archives. Harden file system permissions to prevent the web server process from executing scripts in upload directories. Where possible, temporarily disable the ZIP upload functionality within the plugin until patching can be completed.

Public Exploit Available: false

Given the high severity (CVSS 7.5) of this vulnerability and the potential for complete system compromise through remote code execution, immediate action is required. We strongly recommend that all systems running the affected Modula Image Gallery plugin be patched immediately by updating to the latest version. Although this vulnerability is not currently listed on the CISA KEV catalog, its simplicity and high impact make it a prime target for future exploitation. Prioritize patching on all internet-facing WordPress sites without delay to prevent a security breach.