The vulnerability allows an attacker to upload a web shell or other malicious code to a WordPress site because the plugin does not validate the type of files being uploaded. Uploading an arbitrary script gives the attacker full code‑execution capabilities on the web server, enabling theft of data, defacement, or further exploitation. The weakness is a classic unrestricted file‑upload flaw and is identified as CWE‑434, which undermines confidentiality, integrity, and availability of the affected system.

The WP Remote Thumbnail plugin by Nirmal Kumar Ram for WordPress is affected through version 1.3.2. Any installation of the plugin that is version 1.3.2 or earlier is potentially vulnerable and should be scanned for presence on WordPress sites.

The CVSS score of 9.9 categorizes this vulnerability as critical, while the EPSS score of less than 1% indicates that it is not currently a common exploitation target but could be sought by attackers who discover it. The likely attack vector is via the plugin’s upload endpoint, reachable through the WordPress admin interface or a public API that the plugin exposes, as inferred from the description. Successful exploitation results in arbitrary code execution on the web server, allowing an adversary to compromise the whole site beyond the plugin scope. Existing web application firewalls alone are insufficient to mitigate this flaw.