A critical arbitrary file upload vulnerability in the ProSolution WP Client plugin allows unauthenticated attackers to achieve Remote Code Execution.

The proSol_fileUploadProcess function fails to validate file types, allowing unauthenticated attackers to upload malicious files (e.g., PHP scripts) to the server, resulting in Remote Code Execution.

The 9.8 CVSS score reflects the extreme risk of total server compromise. Attackers can upload web shells to gain persistent, unauthorized access to the site, steal data, or deface the website.

Immediate Action: Update the ProSolution WP Client plugin to the latest version immediately. If an update is unavailable, deactivate and remove the plugin.

Proactive Monitoring: Scan the site for any unauthorized files in the uploads directory and review server access logs for suspicious requests to uploaded files.

Compensating Controls: Use a WAF to restrict file uploads and block attempts to access or execute scripts in user-writable directories.

Public Exploit Available: No

Arbitrary file upload vulnerabilities are critical and highly dangerous. Administrators must ensure the plugin is updated immediately to prevent remote attackers from taking control of the WordPress installation.