EUVD-2025-17476CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
Unrestricted Upload of File with Dangerous Type vulnerability in FantasticPlugins SUMO Affiliates Pro allows Using Malicious Files. This issue affects SUMO Affiliates Pro: from n/a through 10.7.0.
Analysis
Critical unrestricted file upload vulnerability in FantasticPlugins SUMO Affiliates Pro (versions through 10.7.0) that allows unauthenticated attackers to upload malicious files with dangerous types, leading to complete system compromise. This CWE-434 vulnerability has a perfect CVSS 3.1 score of 10.0 due to network accessibility without authentication or user interaction, and affects all confidentiality, integrity, and availability properties. The vulnerability represents an immediate, easily exploitable threat to any WordPress installation running the affected plugin versions.
Technical Context
This vulnerability stems from improper input validation in the file upload mechanism of the SUMO Affiliates Pro WordPress plugin. CWE-434 (Unrestricted Upload of File with Dangerous Type) occurs when applications accept file uploads without proper verification of file types, extensions, or MIME types, allowing attackers to upload executable code (PHP, shell scripts, etc.) that the web server will process. The SUMO Affiliates Pro plugin, designed for affiliate program management, likely processes file uploads in its affiliate registration, document submission, or media management features without adequate server-side validation. The attack vector is Network (AV:N) with Low complexity (AC:L), no privilege requirements (PR:N), and no user interaction needed (UI:N), meaning the upload endpoint is directly accessible to anonymous users over HTTP/HTTPS. The Scope Change (S:C) indicates the vulnerability can impact resources beyond the vulnerable component, allowing lateral movement or privilege escalation within the WordPress ecosystem.
Affected Products
Affected Product: FantasticPlugins SUMO Affiliates Pro. Affected Versions: All versions from initial release through version 10.7.0 inclusive. CPE identifier would be: cpe:2.3:a:fantasticplugins:sumo_affiliates_pro:*:*:*:*:*:wordpress:*:*. This encompasses all prior releases and the current version 10.7.0. The vulnerability affects WordPress installations with the plugin enabled, regardless of WordPress version, as the vulnerability exists in plugin code rather than WordPress core. Specific vector: any web-accessible upload endpoint exposed by the plugin without proper authentication or file type validation.
Remediation
Immediate actions: (1) If patch version 10.7.1 or later is available from FantasticPlugins, update immediately via WordPress admin dashboard → Plugins → Update or directly from the vendor repository; (2) If no patch is available, disable and remove SUMO Affiliates Pro until patched ('Plugins' → 'Deactivate' → 'Delete'); (3) Implement temporary mitigation by adding firewall/WAF rules to block requests to known upload endpoints used by the plugin (typically wp-content/plugins/sumo-affiliates-pro/uploads/ or similar); (4) Review file upload directories for suspicious files created since plugin deployment (look for .php, .phtml, .php3, .php4, .php5 files in unexpected locations); (5) Check WordPress admin logs and access logs for upload POST requests from unfamiliar IP addresses. Long-term: monitor FantasticPlugins security advisories and enforce a policy of updating all WordPress plugins within 24-48 hours of patch release for critical vulnerabilities.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today