The plugin exposes an unrestricted file upload feature that accepts any file type, including executable web shells. An attacker who can utilize this upload gateway can place a malicious script onto the web server and later trigger it to run in the server's context. This flaw directly allows the attacker to execute arbitrary code, potentially leading to full server compromise, data theft, or further lateral movement within the network. The weakness is a type‑of‑input validation flaw as identified by CWE‑434.

WordPress sites employing the Addify Custom User Registration Fields for WooCommerce plugin, any version up to and including 2.1.2. Users running older releases of this plugin are also impacted.

The CVSS base score of 10 categorises the vulnerability as critical, and the EPSS score of less than 1% suggests that mass exploitation is unlikely at present. It is not listed in CISA’s KEV catalog, indicating no known widespread attacks. The attack vector, while not explicitly stated, is inferred to be via HTTP requests to the plugin’s upload endpoint, potentially accessible to unauthenticated users or requiring limited authentication; once an upload is accepted, the attacker can execute the file. The combined high severity and low exploitation probability still represent a significant risk to any affected WordPress installation.