The Bulk Featured Image plugin for WordPress allows an attacker to upload files of any type, including malicious scripts such as web shells. The vulnerability is a classic Arbitrary File Upload flaw (CWE‑434) and carries a CVSS score of 9.1, indicating a high likelihood of full server compromise. Once an attacker places a web‑shell file in the upload directory, they can execute arbitrary code on the host and gain complete control of the exploited web server. The impact is confidentiality, integrity, and availability of the entire site and its underlying infrastructure.

The flaw affects CreedAlly’s Bulk Featured Image plugin for WordPress versions up to and including 1.2.4. Any WordPress site that has been deployed with this plugin and has not upgraded past version 1.2.4 is susceptible to the upload flaw.

With a CVSS score of 9.1 and an EPSS score of less than 1 %, the vulnerability is considered severe but its exploitation probability is currently low. The attack vector is inferred to be through the normal image‑upload interface of the plugin, which requires that the user has permission to add featured images. An attacker who can authenticate or gain elevated privileges on the site—or who can trick a privileged user into uploading a malicious file—can trigger the flaw. Once triggered, the vulnerability results in full remote code execution because the web shell is executable on the server. The vulnerability is not listed in CISA’s KEV catalog, which suggests no public exploit currently in widespread use, but the high CVSS score means that defenders should treat it as a priority risk.