Unrestricted Upload of File with Dangerous Type vulnerability in garidium g-FFL Checkout g-ffl-checkout allows Upload a Web Shell to a Web Server.This issue affects g-FFL Checkout: from n/a through <= 2.1.0.
The vulnerability results from insufficient verification of uploaded file types (CWE-434 — Unrestricted Upload of File with Dangerous Type). An attacker can upload an executable file, such as a PHP web shell, directly to the web server without any authentication. After placing the file on the server, the attacker can access it through a web browser, gaining the ability to execute arbitrary commands in the server's context.
An attacker can gain full control over the web server by installing a web shell, enabling arbitrary command execution, data theft, website content modification, and further lateral movement within the victim's infrastructure.
Apply patches available from the vendor according to the references provided. Until an update is applied, it is recommended to deactivate the g-FFL Checkout plugin. It is also advisable to check the server for the presence of unauthorized files uploaded before applying the fix.
WordPress g-FFL Checkout plugin by garidium in versions from the beginning up to and including 2.1.0.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H