The vulnerability allows an attacker to upload arbitrary files with dangerous content types, including web shells. An uploaded web shell can be executed on the web server, granting the attacker full control over the application environment and potentially the underlying server. This flaw represents a classic arbitrary file upload issue that can compromise confidentiality, integrity, and availability.

Webkul’s Medical Prescription Attachment Plugin for WooCommerce, in all released versions from its inception through 1.2.3, is affected.

The CVSS base score of 10.0 indicates the highest severity, and the EPSS score of <1% indicates a low but non‑zero likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker can achieve arbitrary code execution through a network‑based attack by sending a crafted file upload request to the plugin’s upload endpoint. The lack of an authentication prerequisite in the disclosed details suggests that files may be uploaded without prior login, increasing the risk of exploitation against publicly accessible sites.