The WPAMS apartment‑management plugin contains an unrestricted file upload flaw that allows an attacker to upload a file with a dangerous type, such as a web shell. The CVE description states the upload is unrestricted, but it does not explicitly indicate whether authentication is required. Based on common WordPress plugin behavior, it is inferred that the vulnerable endpoint is reachable from the admin interface, allowing users with administrative privileges to exploit the flaw. The flaw is categorized as CWE‑434 and permits the attacker to execute arbitrary code on the hosting web server, compromising confidentiality, integrity, and availability.

The vulnerability affects the WPAMS plugin by Mojoomla on WordPress sites. All releases from the initial version up to and including 44.0, released on 17‑08‑2023, are impacted. The plugin is commonly installed on residential and commercial real‑estate websites that manage apartment listings.

The CVSS score of 10 indicates a severe risk. The EPSS score is reported as < 1%, meaning the probability of exploitation is low but not zero. The likely attack vector is uploading a malicious file through the exposed file upload endpoint via the WordPress admin interface. Because the flaw is in a third‑party plugin and not patched by the core platform, successful exploitation leads to full control of the server. The vulnerability is currently not listed in CISA KEV, but the high CVSS and remote code execution potential warrant immediate attention.