A critical vulnerability has been identified in the Webkul Medical Prescription Attachment Plugin for WooCommerce. This flaw allows an unauthenticated attacker to upload a malicious file, such as a web shell, directly to the web server. Successful exploitation could grant the attacker complete control over the affected website, leading to data theft, service disruption, and a complete compromise of the server's integrity.

The plugin contains an Unrestricted File Upload vulnerability. It fails to properly validate the file types that users can upload, allowing an unauthenticated remote attacker to upload a file with a dangerous extension (e.g., .php). By uploading a specially crafted script, known as a web shell, an attacker can achieve remote code execution (RCE) on the web server with the permissions of the web service account.

This vulnerability is of critical severity with a CVSS score of 10. Exploitation could lead to a complete compromise of the web server. The business impact includes a high risk of a significant data breach, particularly of sensitive customer and medical prescription data, which could trigger regulatory fines (e.g., under HIPAA). Further consequences include financial loss from incident response and recovery, severe reputational damage, and the potential for the compromised server to be used as a pivot point for further attacks into the corporate network.

Immediate Action: Immediately update the Webkul Medical Prescription Attachment Plugin for WooCommerce to the latest patched version provided by the vendor. After patching, conduct a thorough investigation for signs of compromise by reviewing web server logs for suspicious file uploads and examining the web root directory for any unauthorized files.

Proactive Monitoring:

• Log Analysis: Review web server access logs for POST requests to file upload endpoints associated with the plugin. Scrutinize for uploads of files with executable extensions (.php, .phtml, .sh) and subsequent GET requests to those files.
• File Integrity Monitoring (FIM): Implement FIM on web-accessible directories to generate alerts for any new or modified files that are not part of a planned deployment.
• Network Traffic Analysis: Monitor for unusual outbound connections from the web server, which could indicate a web shell communicating with an attacker's command-and-control (C2) server.

Compensating Controls: If patching is not immediately possible, take the following steps:

• Disable the vulnerable plugin until it can be safely updated.
• Deploy a Web Application Firewall (WAF) with rules specifically designed to block the upload of executable or script-based file types.
• Harden the web server by disabling script execution permissions on directories where file uploads are stored.

Public Exploit Available: false

Due to the critical severity (CVSS 10) and the risk of complete server compromise, this vulnerability requires immediate action. We strongly recommend that all organizations using the Webkul Medical Prescription Attachment Plugin for WooCommerce apply the security update from the vendor as an emergency change. A follow-up investigation for indicators of compromise is mandatory to ensure the integrity of the environment has not already been breached.