The Green Downloads WordPress plugin is vulnerable to an unrestricted file upload flaw, allowing unauthenticated attackers to upload and execute malicious scripts on the server.

This is an Unrestricted Upload of File with Dangerous Type vulnerability in the halfdata-paypal-green-downloads component. The plugin does not properly validate file extensions or content types, allowing an unauthenticated user to upload executable files (e.g., .php files) to the server.

This vulnerability directly leads to Remote Code Execution (RCE). An attacker can upload a web shell and gain full control over the website and the underlying server environment. The CVSS score of 9.9 reflects the critical nature of unauthenticated file upload vulnerabilities.

Immediate Action: Update Green Downloads to the latest version immediately. If no update is available, disable the file upload functionality or the plugin entirely.

Proactive Monitoring: Scan the plugin's download and upload directories for unexpected PHP or executable files that do not match the expected document types.

Compensating Controls: Configure the web server to disable the execution of scripts in the directory where the plugin stores uploaded files (e.g., using .htaccess or Nginx configuration).

Public Exploit Available: No

The ability to upload and execute files provides an attacker with a permanent foothold on the system. This vulnerability must be remediated immediately. Ensure that all file upload components in your environment enforce strict allow-lists for file extensions and perform server-side content validation.