An arbitrary file upload flaw allows an attacker to place a file on the server without any validation of its type, creating the potential to execute malicious code or compromise the system. The vulnerability is classified as CWE-434, indicating that the upload mechanism does not enforce restrictions on file content. If a malicious file is uploaded and later accessed, the attacker could gain unauthorized control over the WordPress site or exfiltrate data.

The flaw targets the FantasticPlugins SUMO Affiliates Pro WordPress plugin for versions earlier than 11.1.0. Any installation of the plugin on a WordPress site that has not applied the update is potentially exposed.

The CVSS score of 10 reflects a high severity with full exploitability. Although the EPSS score is below 1%, indicating a low yet non-zero probability of exploitation, the vulnerability has not been listed in the CISA KEV catalog. Attackers can exploit the flaw by uploading a crafted file through the plugin’s interface, which then becomes accessible to the web server and may execute on demand. The lack of file type validation is a clear prerequisite for exploitation, suggesting that a remote attacker with sufficient access to the plugin’s upload functionality can gain full control of the affected site.