This vulnerability arises from a cross‑site request forgery flaw in the Ultra Demo Importer plugin that allows an attacker to execute a POST request on a victim’s WordPress site, uploading a malicious web shell file to the web server. Once the shell is present, the attacker can run arbitrary code with the permissions of the web‑server process, giving full compromise of the affected site. This flaw is identified as CWE‑352.

WordPress installations that have the Uncodethemes Ultra Demo Importer plugin version 1.0.5 or earlier are affected. The plugin, which is part of the Uncodethemes suite, can be found under the vendor name "Uncodethemes: Ultra Demo Importer". Sites using these versions are exposed to the described attack.

The CVSS score of 9.6 signals a critical severity, indicating that an attacker can achieve full control over the target system. The EPSS score of less than 1 % suggests that, at the time of analysis, exploitation attempts are currently rare, but the high severity and potential for remote code execution mean that vigilance is required. The vulnerability is not listed in CISA’s KEV catalog, so no known active exploitation is documented. Because the flaw is a CSRF, the attack requires an authenticated session with the plugin’s upload capability or a user to trigger the malicious request; the attacker can thus aim to trick an authorized user into executing the upload, or use a browser that is already logged in to the site. The attack vector is most likely indirect, via a crafted malicious link that the victim clicks while authenticated.