A critical vulnerability has been identified in The WooCommerce Designer Pro plugin for WordPress, which allows unauthenticated attackers to upload malicious files to the server. This flaw could be exploited to gain complete control over the affected website, leading to data theft, website defacement, or further attacks on the hosting environment. Due to the high severity and potential for full system compromise, immediate remediation is strongly advised.

The vulnerability exists due to a lack of proper file type validation on the file upload functionality within the plugin. An unauthenticated remote attacker can craft a malicious request to upload a file with a dangerous extension (e.g., .php, .phtml). Because the server-side code fails to verify that the uploaded file is a benign type (like an image), the malicious file is saved to a web-accessible directory, allowing the attacker to execute arbitrary code on the server by simply accessing the uploaded file's URL.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation would have a severe business impact, potentially leading to a full compromise of the web server. Consequences include the theft of sensitive data such as customer personal information and payment details, significant reputational damage from website defacement or malware distribution, and financial loss from business disruption or regulatory fines. The compromised website could also be used as a pivot point to launch further attacks against the organization's internal network.

Immediate Action: Update The WooCommerce Designer Pro plugin for Multiple Products to the latest version. After updating, conduct a thorough review of the web server's file system for any unrecognized or suspicious files, particularly in upload directories. Monitor for exploitation attempts and review access logs for unusual POST requests to plugin endpoints.

Proactive Monitoring: Implement continuous monitoring of web server logs for suspicious upload attempts, focusing on requests that contain file extensions like .php, .phtml, .phar, or .shell. Monitor for unexpected outbound network connections from the web server, which could indicate a successful compromise. File Integrity Monitoring (FIM) should be used to alert on the creation of new executable files in web directories.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with strict rules to block malicious file uploads based on file extension and content type. Additionally, configure the web server to disable script execution in all upload directories (e.g., using .htaccess rules or Nginx configuration) to prevent uploaded shells from being executed.

Public Exploit Available: Information not available in the provided CVE data.

Given the critical CVSS score of 9.8 and the high potential for complete system compromise, this vulnerability represents a significant and immediate threat to the organization. We strongly recommend that the immediate remediation action—updating the affected plugin—be treated as the highest priority. Although this CVE is not currently listed on the CISA KEV list, its severity makes it a prime candidate for future inclusion and warrants an emergency patching cycle.