Impact
The Baggage Freight Shipping Australia plugin allows any user to submit a file to the upload-package.php endpoint without validation. An attacker can send a POST request with a malicious file that the plugin then moves directly to its upload directory. Because the file is executed by the web server, it implies that the upload directory is web‑accessible; this inference is not explicitly stated but deduced. This flaw permits unrestricted execution of arbitrary code on the affected WordPress site.
Affected Systems
WordPress sites that have the Shipster Baggage Freight Shipping Australia plugin version 0.1.0 installed are affected. The vulnerability is limited to installations running this specific plugin version, which places the plugin’s upload directory in a web‑accessible location.
Risk and Exploitability
The CVSS score of 9.3 indicates critical severity, and the EPSS score of 0.00661 indicates a very low probability of exploitation. The vulnerability is listed as not in the CISA KEV catalog. Attackers only need network access to the WordPress site; this is inferred, no authentication or privileged access is required. By sending a crafted file to the unprotected endpoint, an attacker can achieve remote code execution, compromising confidentiality, integrity, and availability of the entire host.
OpenCVE Enrichment