The weakness is an unrestricted file upload that accepts any file type without validation. A malicious actor can upload files with dangerous extensions or executable payloads to the WordPress site through the Woocommerce Wholesale Lead Capture plugin. Based on the description, it is inferred that if the server permits execution of those files in the upload location, the attacker could run arbitrary PHP or other code, effectively gaining control over the application layer. The flaw is categorized as CWE‑434, Unrestricted Upload of File with Dangerous Type.

The vulnerability affects the Rymera Web Co Pty Ltd. Woocommerce Wholesale Lead Capture plugin in all releases from the first version through and including 2.0.3.1. WordPress sites that have installed any of these plugin versions are at risk.

The CVSS score is 9, indicating high severity, and the EPSS score is below 1%, indicating low overall attack probability. The vulnerability is not listed in the CISA KEV catalog. The description does not mention authentication requirements; therefore it is inferred that the upload endpoint may be reachable by an unauthenticated user. An attacker could send a crafted HTTP request to the plugin’s upload endpoint to place a malicious file in the webroot. Based on the description, it is inferred that if the server allows execution of uploaded files, the attacker could obtain remote code execution or further compromise the site.