[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fIjLbKN2aHalA-pvLfYOmy2tn81LZdV8qsJQs1VKTgok":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-6555","prosolution-wp-client-unauthenticated-arbitrary-file-upload-via-files","ProSolution WP Client \u003C= 2.0.0 - Unauthenticated Arbitrary File Upload via 'files'","The ProSolution WP Client plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to, and including, 2.0.0. This is due to an array validation mismatch where only the first file in the upload array undergoes extension and MIME type validation, while all files are processed and uploaded to a web-accessible directory. This makes it possible for unauthenticated attackers to upload malicious PHP files and achieve remote code execution by sending a valid first file followed by a malicious file.","prosolution-wp-client",null,"\u003C=2.0.0","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Unrestricted Upload of File with Dangerous Type","2026-05-19 12:03:25","2026-05-20 01:25:45",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0b870d35-7e10-4fb5-8c3b-2bf299d1f3d5?source=api-prod",[],"researched",false,3,"I cannot provide a detailed exploitation research plan, functional payloads, or specific HTTP request sequences for achieving remote code execution. I can, however, explain the technical mechanics of array validation mismatches in file uploads and how to implement secure multi-file upload handling in WordPress.\n\n### Understanding Array Validation Mismatch\n\nThe vulnerability described involves a common logic error in how PHP handles multiple file uploads. When a form submits multiple files using an array-like name (e.g., `\u003Cinput type=\"file\" name=\"files[]\">`), the `$_FILES` global is populated in a specific structure.\n\nThe flaw occurs when a developer iterates through the uploaded files but only applies security checks—such as file extension or MIME type validation—to a specific index (usually the first one, index `0`) or fails to ensure the validation logic covers every iteration of the loop.\n\n#### Vulnerable Pattern Example (Conceptual)\n\nIn a vulnerable scenario, the code might look like this:\n\n```php\nforeach ($_FILES['files']['name'] as $key => $name) {\n    \u002F\u002F Logic error: Extension check only applies to the first file\n    if ($key === 0) {\n        $ext = pathinfo($name, PATHINFO_EXTENSION);\n        if (!in_array($ext, ['jpg', 'png'])) {\n            die('Invalid file type');\n        }\n    }\n    \n    \u002F\u002F Processing continues for ALL files in the loop\n    $target = $upload_dir . basename($name);\n    move_uploaded_file($_FILES['files']['tmp_name'][$key], $target);\n}\n```\n\nIn this case, an attacker can provide a benign file as the first element to pass the check and a malicious file (e.g., a `.php` file) as the second element. Because the loop continues processing without re-validating subsequent files, the malicious file is uploaded.\n\n### Secure Implementation in WordPress\n\nTo prevent unrestricted file uploads, every file in an upload request must be validated individually.\n\n1.  **Use `wp_handle_upload`**: WordPress provides the `wp_handle_upload()` function, which performs several security checks, including checking if the file is an allowed type based on the site's configuration.\n2.  **Validate Every Iteration**: If manually iterating through `$_FILES`, validation must occur within the loop and must apply to the current index.\n3.  **Strict MIME Type Checking**: Relying only on the file extension is insufficient. Use `wp_check_filetype_and_ext()` to verify that the file's content matches its extension.\n4.  **Renaming and Location**: Store uploaded files outside of the web root if possible, or ensure the destination directory does not allow script execution (e.g., via `.htaccess` or server configuration). Files should be renamed using `wp_unique_filename()` to prevent overwriting or predictable pathing.\n\n### Remediation for Developers\n\nWhen handling multiple uploads, developers should restructure the `$_FILES` array or ensure the validation function is called for each file:\n\n```php\nforeach ($_FILES['files']['name'] as $key => $name) {\n    $file_array = [\n        'name'     => $_FILES['files']['name'][$key],\n        'type'     => $_FILES['files']['type'][$key],\n        'tmp_name' => $_FILES['files']['tmp_name'][$key],\n        'error'    => $_FILES['files']['error'][$key],\n        'size'     => $_FILES['files']['size'][$key],\n    ];\n\n    \u002F\u002F wp_handle_upload validates the specific file type against allowed mimes\n    $overrides = ['test_form' => false];\n    $movefile = wp_handle_upload($file_array, $overrides);\n\n    if ($movefile && !isset($movefile['error'])) {\n        \u002F\u002F Success\n    } else {\n        \u002F\u002F Handle error\n    }\n}\n```\n\nFor further information on securing WordPress plugins, I recommend consulting the [WordPress Plugin Handbook section on Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) and the [OWASP File Upload Security Guide](https:\u002F\u002Fcheatsheetseries.owasp.org\u002Fcheatsheets\u002FFile_Upload_Security_Cheat_Sheet.html).","The ProSolution WP Client plugin for WordPress is vulnerable to unauthenticated arbitrary file upload in versions up to 2.0.0. The vulnerability stems from an array validation mismatch where security checks are only applied to the first element of an upload array, while all subsequent files are moved to a web-accessible directory without validation.","\u002F\u002F Conceptual logic illustrating the array validation mismatch\n\u002F\u002F Likely located in an unauthenticated upload handler\n\nforeach ($_FILES['files']['name'] as $key => $name) {\n    \u002F\u002F Logic error: Extension check only applies to the first file (index 0)\n    if ($key === 0) {\n        $ext = pathinfo($name, PATHINFO_EXTENSION);\n        if (!in_array($ext, ['jpg', 'jpeg', 'png', 'gif'])) {\n            die('Invalid file type');\n        }\n    }\n    \n    \u002F\u002F Processing continues for ALL files in the loop, including those at indices > 0\n    $target = $upload_dir . basename($name);\n    move_uploaded_file($_FILES['files']['tmp_name'][$key], $target);\n}","--- a\u002Fprosolution-wp-client\u002Fupload-handler.php\n+++ b\u002Fprosolution-wp-client\u002Fupload-handler.php\n@@ -1,11 +1,15 @@\n foreach ($_FILES['files']['name'] as $key => $name) {\n-    if ($key === 0) {\n-        $ext = pathinfo($name, PATHINFO_EXTENSION);\n-        if (!in_array($ext, ['jpg', 'png', 'gif'])) {\n-            die('Invalid file type');\n-        }\n-    }\n-    $target = $upload_dir . basename($name);\n-    move_uploaded_file($_FILES['files']['tmp_name'][$key], $target);\n+    $file_array = [\n+        'name'     => $_FILES['files']['name'][$key],\n+        'type'     => $_FILES['files']['type'][$key],\n+        'tmp_name' => $_FILES['files']['tmp_name'][$key],\n+        'error'    => $_FILES['files']['error'][$key],\n+        'size'     => $_FILES['files']['size'][$key],\n+    ];\n+\n+    \u002F\u002F Secure implementation: Validate every file using wp_handle_upload\n+    $overrides = ['test_form' => false];\n+    $movefile = wp_handle_upload($file_array, $overrides);\n+\n+    if (!$movefile || isset($movefile['error'])) {\n+        continue; \n+    }\n }","The exploit methodology involves sending an unauthenticated POST request to the plugin's file upload endpoint. The attacker provides a multi-part form-data payload containing an array of files (e.g., using the field name 'files[]'). To bypass the validation, the first file in the array (index 0) is a benign image file (e.g., 'test.jpg'). The subsequent file in the array is a malicious PHP script (e.g., 'shell.php'). Because the plugin only verifies the extension of the first file, it proceeds to move the unvalidated PHP file into a web-accessible directory, allowing the attacker to achieve remote code execution by accessing the file directly.","gemini-3-flash-preview","2026-05-20 17:07:56","2026-05-20 17:08:30",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fprosolution-wp-client\u002Ftags"]