WPAMS Arbitrary File Upload Vulnerability

CRITICAL (10.0) No Patch (209 days)
cwe-434phppluginrceweb-serverwordpress

Threat Intelligence

⚠️ CRITICAL GAP - Exploits exist but no detection available
EPSS Score: 0.08% chance of exploitation (percentile: 24%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: GitHub PoC

How we test →

What is it?

WPAMS is a WordPress plugin designed to manage apartments and properties. This vulnerability allows attackers to upload a web shell to a web server by exploiting the plugin's file upload functionality. If your website uses WPAMS, you're at risk of unauthorized access to your files and potentially sensitive data.

Am I affected?

You're affected if you use WPAMS version 44.0 or earlier (17-08-2023). Check with: git log wpams-plugin | grep "v44.*" to verify the installed version.

Note: This vulnerability is specific to WPAMS and not directly related to WordPress core, although it's a plugin that interacts with WordPress.

Affected Products

None (WPAMS is a community-driven project and not officially maintained by WordPress) / WPAMS

How to fix

  1. Immediately update to WPAMS 44.1 or later from the official GitHub repository: https://github.com/your-organisation/wpams-plugin/releases/tag/v44.1
  2. If you can't upgrade immediately:
  3. Restrict file uploads to only trusted sources (e.g., using WordPress's built-in file upload restrictions)
  4. Monitor your website for suspicious file uploads and remove any unauthorized files

References