A critical Cross-Site Request Forgery (CSRF) vulnerability has been identified in the WING WordPress Migrator plugin. This flaw allows an unauthenticated attacker to trick a privileged user into uploading a malicious web shell, which could result in a complete compromise of the web server. Successful exploitation grants the attacker full control over the affected website, enabling data theft, service disruption, and further attacks on the network.

This vulnerability is a Cross-Site Request Forgery (CSRF) flaw in the file upload functionality of the WING WordPress Migrator plugin. The plugin fails to implement adequate anti-CSRF protections, such as unique tokens, to validate requests. An attacker can exploit this by crafting a malicious webpage or link and tricking a logged-in administrator into visiting it. The victim's browser will then automatically and unknowingly submit a forged request to the vulnerable WordPress site, instructing it to upload a file (a web shell) controlled by the attacker. Because the request originates from the administrator's authenticated session, the application processes it as legitimate, leading to remote code execution on the server.

This vulnerability is rated as critical severity with a CVSS score of 9.6, posing a significant and immediate threat to the organization. Successful exploitation allows an attacker to upload a web shell, granting them remote code execution capabilities on the web server. This can lead to a complete system compromise, resulting in severe consequences such as the theft of sensitive data (customer information, payment details, intellectual property), website defacement, service unavailability, and reputational damage. The compromised server could also be used as a staging point to launch further attacks against other systems within the organization's internal network.

Immediate Action: Immediately update the ConoHa by GMO WING WordPress Migrator plugin to a version higher than 1.1.9, or the latest version provided by the vendor, to patch the vulnerability. After patching, monitor web server and application logs for any signs of exploitation, such as unexpected file uploads or suspicious POST requests to the plugin's endpoints.

Proactive Monitoring: Implement enhanced monitoring of web server access and error logs, specifically looking for POST requests to file upload functionalities associated with the migrator plugin. Utilize a File Integrity Monitoring (FIM) solution to detect the creation of unauthorized or suspicious files (e.g., .php, .asp, .jsp) in web-accessible directories. Monitor for unusual outbound network traffic from the web server, which could indicate an active web shell communicating with a command-and-control server.

Compensating Controls: If immediate patching is not feasible, consider the following controls:

• Implement a Web Application Firewall (WAF) with rules designed to detect and block CSRF attacks and malicious file uploads.
• Temporarily disable the vulnerable plugin until it can be safely updated.
• Enforce strict file permissions on the web server to prevent scripts from being executed in upload directories.
• Require all administrative users to use multi-factor authentication and log out of their sessions when not in use to reduce the window of opportunity for an attacker.

Public Exploit Available: false

Given the critical severity rating (CVSS 9.6) of this vulnerability, immediate and decisive action is required. All organizations utilizing the ConoHa by GMO WING WordPress Migrator plugin must prioritize applying the security update as an emergency change. Although this CVE is not currently on the CISA KEV list, its potential for complete server compromise warrants the highest level of attention. Proactive monitoring for indicators of compromise should be implemented concurrently with patching efforts to ensure the integrity of web-facing assets.