A high-severity vulnerability has been identified in the WP Dispatcher plugin for WordPress, which allows an unauthenticated attacker to upload arbitrary files to an affected website. Successful exploitation could lead to a complete compromise of the server, enabling the attacker to execute malicious code, steal sensitive data, or deface the website. Organizations using this plugin are at significant risk and should take immediate action to mitigate this threat.

The vulnerability exists within the wp_dispatcher_process_upload() function of the WP Dispatcher plugin. This function is responsible for handling file uploads but fails to properly validate the type of file being uploaded. An attacker can exploit this flaw by crafting a request to upload a malicious script (e.g., a PHP web shell) disguised as a legitimate file. Once the malicious file is on the server, the attacker can navigate to it via a URL to execute arbitrary code with the permissions of the web server process, leading to a full system compromise.

This vulnerability is rated as High severity with a CVSS score of 7.5. A successful exploit can have severe consequences for the business, including unauthorized access to and exfiltration of sensitive data such as customer information, intellectual property, or financial records. An attacker could also deface the corporate website, causing significant reputational damage, or use the compromised server to launch further attacks, host malicious content, or install ransomware. The potential for data breaches and service disruption poses a direct risk to business operations, customer trust, and regulatory compliance.

Immediate Action: Immediately update the WP Dispatcher plugin to the latest version provided by the vendor, which addresses this vulnerability. If a patched version is not yet available or the plugin is not critical to business operations, the plugin should be disabled and uninstalled immediately to remove the attack vector.

Proactive Monitoring: Security teams should actively monitor web server logs for suspicious POST requests to file upload endpoints associated with the plugin. Look for attempts to upload files with extensions like .php, .phtml, or .phar. Additionally, monitor the file system, particularly the wp-content/uploads directory, for any unexpected or suspicious files. Implement file integrity monitoring to alert on the creation of new executable files in web-accessible directories.

Compensating Controls: If patching cannot be performed immediately, implement a Web Application Firewall (WAF) with rules designed to inspect file uploads and block malicious file types. Additionally, harden the web server configuration to prevent the execution of scripts in directories where file uploads are stored. For example, use an .htaccess file on Apache or a server block on Nginx to deny execution permissions in the /uploads/ folder.

Public Exploit Available: true

Given the high CVSS score, the public availability of exploit code, and the critical impact of a successful attack, it is strongly recommended that organizations take immediate action. All instances of the WP Dispatcher plugin must be identified and updated to a patched version without delay. After patching, a thorough review of the affected systems should be conducted to search for any indicators of compromise, such as unexpected files or unauthorized user accounts. If the plugin is not essential, it should be removed entirely to reduce the overall attack surface.