A critical arbitrary file upload vulnerability in the ProSolution WP Client WordPress plugin allows unauthenticated attackers to execute arbitrary code on the server.

The plugin fails to validate all files in an upload array, only checking the first one. An unauthenticated attacker can bypass these checks to upload malicious PHP files to a web-accessible directory.

A CVSS score of 9.8 indicates an extremely high level of risk. An attacker can use this flaw to gain full control of the WordPress instance, potentially leading to the compromise of user databases and the use of the server for malicious activity.

Immediate Action: Update the ProSolution WP Client plugin to the latest version. Check the vendor security advisory for specific patch details.

Proactive Monitoring: Review web server logs for suspicious file upload requests and scan the site for unauthorized PHP scripts.

Compensating Controls: Configure the web server to disable script execution in the directory where user files are uploaded.

Public Exploit Available: false

This vulnerability is a prime example of why input validation must be exhaustive across all data inputs. Immediate updates are required, and organizations should scan their web directories for any signs of unauthorized file activity.