This vulnerability arises from an unrestricted upload mechanism in the WooCommerce License Manager plugin through version 7.0.6. An attacker can place any file on the server, including a web shell, which would allow unchecked execution of arbitrary code on the host. The weakness corresponds to CWE-434, representing an improper restriction of a file type uploaded to a system. The severity reflected by a CVSS score of 9.1 indicates that an exploitation yields full remote control of the affected web application, potentially compromising site data, credentials, and the underlying server.

The issue affects WordPress sites that host the WooCommerce License Manager (fs‑license‑manager) plugin developed by firassaidi. All installations running any release up to and including version 7.0.6 are susceptible; newer releases are presumed fixed.

The CVSS base score of 9.1 and a low but nonzero EPSS probability (<1%) suggest that, while the exploitation window may not be large, the consequence of exploitation is catastrophic. The vulnerability is not listed in the CISA KEV catalog, indicating it may not currently be actively exploited in the wild. Attackers would need access to the plugin’s upload endpoint; based on the description, it is inferred that this endpoint may be limited to authenticated users with upload rights, yet the vulnerability description suggests that any interaction with the upload form could allow exploitation. Once a web shell is in place, the attacker can execute commands on the server, export data, or pivot further into the network. The combination of high severity, potential for remote command execution, and minimal protection measures warrants urgent remediation.