Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions.
The vulnerability classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) consists of a lack of proper verification of the types and content of uploaded files. An attacker without any account or permissions can send a specially crafted request to the vulnerable endpoint of the plugin and upload an executable file, such as a PHP webshell, to the server. The uploaded file can then be executed by the attacker directly through a browser or HTTP request.
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the server (RCE), which can lead to complete takeover of the WordPress service, data theft, installation of a backdoor, or use of the server as a launch point for further attacks on the network.
The GeekyBot plugin should be updated immediately to a version higher than 1.2.2. If an update is not available, the plugin should be deactivated and removed immediately. Detailed information about available patches should be checked in the vendor references and in the Patchstack database.
GeekyBot plugin for WordPress in versions 1.2.2 and earlier
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H