The vulnerability permits an attacker to upload a file whose type is not properly checked, allowing potentially dangerous files to be stored on the server. Because the description does not state that the file is automatically executed, the risk of code execution is inferred rather than guaranteed; however, if such files can be later accessed and run by the web server, the attacker could gain unauthorized code execution or other malicious activity.

Gesundheit Bewegt GmbH’s Zippy plugin, all releases up to and including version 1.7.0, is affected. No further version granularity is specified.

The CVSS score of 9.1 indicates a severe vulnerability, while the EPSS score of less than 1 % suggests a low current exploitation probability. The flaw is not listed in CISA KEV. Likely attack vectors involve an unauthenticated or authenticated user submitting a file through the plugin’s upload interface, with potential subsequent execution depending on server configuration. The overall risk remains high due to the severity and potential impact, but real-world exploitation is currently expected to be uncommon.