The WP FOFT Loader plugin for WordPress suffers from a critical arbitrary file upload vulnerability that can lead to full remote code execution on the hosting server.

The vulnerability exists in the 'WP_FOFT_Loader_Mimes::file_and_ext' function. Due to improper validation of file extensions and MIME types, an attacker can bypass security checks to upload executable files (e.g., .php scripts).

The ability to upload arbitrary files typically results in complete system compromise. An attacker can upload a web shell to gain remote code execution, allowing them to deface the site, steal data, or use the server for further attacks. The CVSS score of 8.8 reflects this critical risk.

Immediate Action: Update the WP FOFT Loader plugin to the latest version immediately. Check the 'wp-content/uploads' directory for any suspicious PHP files.

Proactive Monitoring: Implement file integrity monitoring (FIM) to alert on the creation of new executable files in directories that should only contain media or fonts.

Compensating Controls: Disable PHP execution in the uploads directory via .htaccess or web server configuration to prevent uploaded scripts from running.

Public Exploit Available: false

This vulnerability poses a severe risk of total site takeover. It is imperative to apply the vendor's patch immediately and verify that no unauthorized files have already been uploaded to the environment.