Impact
An unauthenticated user can send files to the GeekyBot WordPress plugin and have them stored on the web server because the plugin does not validate file types or extensions, a weakness described as CWE‑434. No explicit confirmation exists that the uploaded files could be executed, but the mere ability to place arbitrary files in an accessible location indicates a high potential for further compromise. Based on the nature of the vulnerability, attackers might attempt to upload malicious scripts or binaries that could later be executed by a compromised user or by misconfiguration of the web server.
Affected Systems
The flaw is in the Ahmad:GeekyBot WordPress plugin, affecting all releases up to and including version 1.2.2. Site owners who have installed or are operating any version of the plugin that is 1.2.2 or older are impacted. Upgrading to version 1.2.3 or a newer release removes the vulnerability.
Risk and Exploitability
The CVSS score of 10 highlights a critical severity. Although the EPSS score is below 1 % suggesting a low current exploitation probability, the vulnerability is not listed in the CISA KEV catalog. The most likely attack vector is a remote HTTP or HTTPS request that reaches the plugin’s upload endpoint without requiring authentication, permitting the attacker to submit multipart requests and upload arbitrary files.
OpenCVE Enrichment