A critical vulnerability has been identified in the CreedAlly Bulk Featured Image plugin, which could allow an unauthenticated attacker to take complete control of the affected web server. The flaw enables the upload of malicious files, known as web shells, which can be used to execute arbitrary code, steal data, or disrupt services. Due to the high severity and potential for full system compromise, immediate remediation is strongly advised.

The CreedAlly Bulk Featured Image plugin contains an Unrestricted File Upload vulnerability. The application fails to properly validate the type and extension of files being uploaded, allowing an attacker to bypass security checks and upload a file with a dangerous type (e.g., a .php script). Once the malicious file (a web shell) is on the server, the attacker can navigate to it via a URL, causing the web server to execute the code within the file. This provides the attacker with Remote Code Execution (RCE) capabilities, effectively giving them control over the web server with the same permissions as the web service account.

This vulnerability is rated as critical severity with a CVSS score of 9.1, posing a significant risk to the organization. Successful exploitation could lead to a complete compromise of the web server. The potential consequences include theft of sensitive data (customer information, intellectual property, credentials), website defacement, service interruption, and significant reputational damage. The compromised server could also be used as a pivot point to launch further attacks against the internal network or to host malware and participate in botnet activities.

Immediate Action: Update the CreedAlly Bulk Featured Image plugin to the latest available version that addresses this vulnerability. After patching, review web server access logs and file systems for any signs of prior compromise, such as suspicious uploaded files in web-accessible directories.

Proactive Monitoring: Monitor web server logs for unusual POST requests to file upload endpoints, especially those containing files with extensions like .php, .phtml, or .phar. Scrutinize the file system for any unrecognized files in media upload directories. Monitor for unexpected outbound network traffic from the web server, which could indicate a web shell communicating with an attacker's command and control server.

Compensating Controls: If immediate patching is not feasible, consider the following measures:

• Temporarily disable the CreedAlly Bulk Featured Image plugin until it can be updated.
• Implement a Web Application Firewall (WAF) with rules designed to detect and block the upload of executable file types.
• Configure the web server to disallow script execution in the directories where files are uploaded.

Public Exploit Available: false

Given the critical CVSS score of 9.1 and the high potential for complete system compromise, immediate action is required. We strongly recommend that all systems running the affected versions of the CreedAlly Bulk Featured Image plugin be updated to the latest version without delay. Although this vulnerability is not currently listed on the CISA KEV list, its severity and the ease of potential exploitation warrant treating it with the highest priority.