Missing Authorization vulnerability in Eugen Bobrowski Debug Tool debug-tool allows Upload a Web Shell to a Web Server.This issue affects Debug Tool: from n/a through <= 2.2.
The vulnerability results from a lack of appropriate authorization control mechanisms (CWE-862) in handling file upload functionality in the Debug Tool plugin. An attacker without any authentication can send a network request uploading a malicious file (Web Shell) directly to the web server. The absence of permission verification means that the operation is executed successfully regardless of user role or session.
An attacker can gain full control over the server by executing arbitrary code (RCE) through an uploaded Web Shell. Data disclosure, modification, or deletion is possible, as well as further lateral movement within the infrastructure.
The Debug Tool plugin must be immediately updated to a version higher than 2.2, or — if an update is not available — the plugin should be immediately deactivated and removed from all WordPress installations. Details regarding available patches are available in the Patchstack references.
The Debug Tool plugin by Eugena Bobrowski for WordPress in versions from its inception (n/a) to 2.2 inclusive.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H