Primary

Context

WordPress MStore API Arbitrary File Upload Vulnerability Allowing Remote Code Execution

Vulnerability

An arbitrary file upload vulnerability has been identified in WordPress MStore API version 2.0.6. This vulnerability allows unauthenticated attackers to upload malicious files by sending POST requests to the REST API endpoint. Attackers can exploit this issue by uploading PHP files with arbitrary names to the 'config_file' endpoint, potentially leading to remote code execution on the server.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which can be used to execute malicious code on the server, leading to remote code execution.

Reproduction

To reproduce this vulnerability, send a POST request to the '/wp-json/api/flutter_woo/config_file' endpoint with a file upload that includes a PHP file disguised as a JSON file. The uploaded file can then be executed on the server, achieving remote code execution.

Added: May 10, 2026, 1:37 PM

Updated: May 10, 2026, 1:37 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

7.5

exploitability

9.7

remediation

0.0

relevance

7.9

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

7.5

exploitability

9.7

remediation

0.0

relevance

7.9

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WordPress MStore API Arbitrary File Upload Vulnerability Allowing Remote Code Execution

Vulnerability

Impact

Reproduction

Affected Products

WordPress MStore API

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating