The vulnerability is an unrestricted file upload that allows an attacker to upload malicious files to the server. The affected plugin version does not validate the file type or enforce safe upload procedures, enabling potentially executable content such as PHP scripts to be placed on the webroot. If a PHP file is uploaded, the attacker can execute arbitrary code, leading to full compromise of the web application and underlying server. This weakness is identified as CWE-434: Unrestricted Upload of File with Dangerous Type.

The flaw affects the Rymera Web Co Pty Ltd. Woocommerce Wholesale Lead Capture plugin in all releases from the initial version up to and including 2.0.3.1. Users of WordPress sites running any of these versions via the WooCommerce Wholesale Lead Capture plugin are at risk.

The injected vulnerability carries a CVSS base score of 9, indicating critical severity. EPSS and KEV data are unavailable, but the absence from the KEV catalog does not mitigate the risk. Attackers can exploit the flaw by sending a crafted HTTP request to the plugin’s upload endpoint—no special privileges are documented, so it is inferred that the attack vector is remote and may not require authentication. Once a malicious file is uploaded, executing it can allow attackers to gain remote code execution or further compromise the site. Given the high score and the potential for broad impact, immediate remediation is advised.