A vulnerability in the HaruTheme Drag and Drop Multiple File Upload (Pro) – WooCommerce plugin allows an attacker to upload a file without any type restrictions. The plugin accepts files of any type, permitting the upload of a web shell or other malicious executable content. This flaw provides the attacker with the capability to execute code on the web server, resulting in full compromise of the site’s confidentiality, integrity, and availability. The weakness is a classic Arbitrary File Upload (CWE‑434).

The issue affects installations of the HaruTheme Drag and Drop Multiple File Upload (Pro) – WooCommerce plugin with versions on or before 5.0.6. Site owners running any of these versions are vulnerable and potentially exposed to remote code execution.

The CVSS score of 10.0 marks this flaw as critical. The EPSS score of less than 1% indicates that while existing exploit attempts are rare, this vulnerability remains highly dangerous and could be leveraged by a determined adversary. The vulnerability is not listed in CISA’s KEV catalog, but it is still a prime target for exploitation due to the ease of file upload and the high impact of a web shell. Likely attacks would target the plugin’s upload interface; attackers would need access to the page that lets users upload files, which is usually exposed to site visitors or authenticated users. The flaw is inferred to be exploitable without additional privileges, making it a significant risk for any affected site.