Impact
This vulnerability, classified as CWE‑434, allows the PT Luxa Addons plugin to accept arbitrary files because the upload process lacks proper validation. If an attacker uploads a script or executable and the web server does not block execution, the uploaded content can run with the server’s privileges, providing remote code execution or other destructive actions. The high CVSS score of 9.9 reflects the critical severity of this flaw.
Affected Systems
WordPress sites that run the PT Luxa Addons plugin version 1.2.2 or earlier are affected. No operating‑system, PHP‑version, or user‑role restrictions are mentioned, so any installation of the affected plugin versions is vulnerable.
Risk and Exploitability
Based on the description, it is inferred that the upload endpoint can be abused without authentication or with minimal privileges, making it accessible to a wide range of attackers. The likely attack vector is the plugin’s upload interface exposed over HTTP, allowing a malicious file to be placed in a web‑accessible directory. The EPSS score is not available, so the exact exploitation probability is unknown, but the CVSS score indicates a very high impact. The vulnerability is not listed in the CISA KEV catalog at this time.
OpenCVE Enrichment