A high-severity vulnerability has been identified in the AP Background plugin for WordPress, allowing an unauthenticated attacker to upload arbitrary files to an affected website. Successful exploitation could lead to a complete system compromise, enabling the attacker to execute malicious code, steal sensitive data, or deface the website. Organizations using this plugin are at significant risk and should take immediate action.

The vulnerability exists within the advParallaxBackAdminSaveSlider() function of the AP Background plugin. This function lacks proper authorization checks, allowing any user, including unauthenticated attackers, to access it. Furthermore, the function fails to adequately validate the types of files being uploaded, permitting malicious file types (e.g., PHP web shells) to be saved to the server. An attacker can exploit this by sending a crafted request to the vulnerable function to upload a malicious script, which can then be executed to gain control over the web server.

This vulnerability is rated as High severity with a CVSS score of 8.8, posing a significant risk to the business. Exploitation can lead to a full compromise of the web server, resulting in potential consequences such as sensitive data exfiltration (customer data, intellectual property), website defacement, and distribution of malware to site visitors. Such an incident could cause severe reputational damage, loss of customer trust, financial losses associated with remediation, and potential regulatory fines.

Immediate Action: Immediately update the AP Background plugin to the latest patched version provided by the vendor. If the plugin is not essential for business operations, the recommended course of action is to deactivate and completely remove it from the WordPress installation to eliminate the attack surface.

Proactive Monitoring: Monitor web server access logs for unusual POST requests to endpoints associated with the AP Background plugin. Implement file integrity monitoring to detect the creation of unexpected files (especially with extensions like .php, .phtml, .php5) in upload directories. Network traffic should be monitored for suspicious outbound connections from the web server, which could indicate command-and-control communication from a web shell.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules designed to block unauthorized file uploads and filter malicious file types. Additionally, harden server permissions by configuring the web server to disable script execution (e.g., PHP) within the WordPress upload directory (typically /wp-content/uploads/).

Public Exploit Available: false

Given the high CVSS score and the critical impact of a successful exploit (remote code execution), this vulnerability requires immediate attention. All internet-facing WordPress instances running the vulnerable AP Background plugin should be considered at high risk. We strongly recommend that organizations prioritize patching this vulnerability immediately across all affected assets. Although this CVE is not currently listed on the CISA KEV list, its severity warrants treating it with the same level of urgency as a known exploited vulnerability.