This vulnerability enables an attacker to upload files of any type to the WordPress plugin Support Ticket System for WooCommerce, allowing the arbitrary placement of executable code. The lack of file type validation means an attacker could upload a PHP script or other executable payload, and based on the description, it is inferred that this could lead to remote code execution by the web server, potentially enabling data exfiltration or injection of further malicious content. It is also inferred that the attacker might gain the ability to run arbitrary code with the privileges of the web application.

The affected product is Plugify Support Ticket System for WooCommerce (Premium). Vulnerable versions include all releases from the initial version up to and including 2.0.7, inclusive.

The CVSS score of 10 indicates critical severity. The EPSS score of less than 1% suggests the likelihood of exploitation is low at present, and the vulnerability is not yet listed in CISA's KEV catalog. The likely attack vector involves crafted HTTP requests to the plugin's file upload endpoint, and it is inferred that such requests may require authentication to the WordPress admin area. The data indicates that uploading files of any type may lead to the execution of malicious code on the server, but the exact execution conditions are not explicitly specified.