A critical file upload vulnerability in the Woocommerce Wholesale Lead Capture plugin allows attackers to upload web shells and execute arbitrary code on the WordPress server.

The plugin fails to restrict the types of files uploaded through its lead capture forms. This allows an attacker to upload files with dangerous extensions (such as .php), which can then be accessed via the web to execute arbitrary code (RCE).

With a CVSS score of 9.0, this vulnerability poses a severe threat. Successful exploitation results in a full site compromise, allowing attackers to steal customer data, modify site content, or use the server for malicious purposes. This leads to significant reputational damage and potential financial loss.

Immediate Action: Update the Woocommerce Wholesale Lead Capture plugin to the latest version (2.0.3.2 or later). Ensure that the upload directory is configured to prevent the execution of scripts.

Proactive Monitoring: Review the plugin's upload directory for any suspicious files, particularly those with .php, .html, or .js extensions that do not correspond to legitimate user data.

Compensating Controls: Use a Web Application Firewall (WAF) to block the upload of executable file types and implement server-side restrictions that prevent script execution in public upload folders.

Public Exploit Available: false

Organizations must prioritize this update. The ability to upload and execute files is a direct path to server compromise. Immediate patching and the implementation of strict file upload controls are essential to secure the environment.