A critical arbitrary file upload vulnerability in the ThemeCatcher Quform plugin allows authenticated subscribers to execute arbitrary code on the host server.

The vulnerability stems from improper input validation during the file upload process, which can be leveraged by a user with the 'subscriber' role to bypass security controls and upload malicious files.

While this vulnerability requires a subscriber-level account, the impact remains severe as it facilitates privilege escalation and Remote Code Execution. With a CVSS score of 9.9, the risk of a compromised account turning into a full server takeover is significant, potentially leading to widespread data loss or service disruption.

Immediate Action: Update the Quform plugin to the latest available version to enforce proper file validation and access control.

Proactive Monitoring: Audit user account activity and monitor the web server for the presence of unauthorized files or scripts uploaded via the plugin.

Compensating Controls: Restrict file upload capabilities for low-privileged users via security plugins or WAF configurations until the software update is completed.

Public Exploit Available: Unknown

Security teams should immediately identify all instances of the Quform plugin and ensure they are updated to the patched version. Given that this can be exploited by subscribers, organizations should also review their user registration policies to minimize the potential attack surface.