A critical unrestricted file upload vulnerability in the WPify Woo Czech plugin enables unauthenticated attackers to achieve remote code execution.

The plugin fails to properly validate the types of files uploaded, allowing an attacker to upload malicious scripts, such as web shells. Because this check is absent, an unauthenticated attacker can upload and execute arbitrary code on the underlying web server.

The CVSS score of 9.9 highlights the critical nature of this flaw. Successful exploitation leads to full server compromise, allowing attackers to steal sensitive customer data, deface the website, or use the server as a launchpad for further attacks, potentially resulting in significant financial and reputational damage.

Immediate Action: Update the WPify Woo Czech plugin to the latest available version that addresses this vulnerability.

Proactive Monitoring: Regularly scan the web server directory for unauthorized script files or unexpected changes to the filesystem.

Compensating Controls: Use a WAF to block requests that attempt to upload files with suspicious extensions or content types to the web server.

Public Exploit Available: Unknown

File upload vulnerabilities are a frequent target for automated exploitation. It is imperative that administrators update the plugin immediately. If an update is not immediately available, the plugin should be disabled until a secure version is deployed.