A critical (CVSS 9.8) arbitrary file upload flaw in the ProSolution WP Client WordPress plugin lets unauthenticated attackers achieve remote code execution by smuggling malicious PHP files past a broken validation check.
What Is It
CVE-2026-6555 is an Arbitrary File Upload vulnerability (CWE-434) in the ProSolution WP Client plugin for WordPress, affecting all versions up to and including 2.0.0. The root cause is an array validation mismatch: when files are submitted as an upload array, only the first file undergoes extension and MIME type validation, while every file in the array is processed and written to a web-accessible directory. An unauthenticated attacker can pair a benign first file with a malicious PHP payload to bypass the check entirely and execute code on the server.
Why It Matters
The CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, network-reachable, low complexity, no privileges, no user interaction, with high impact across confidentiality, integrity, and availability. Successful exploitation yields remote code execution as the web server user on any affected WordPress site, enabling full site takeover, data theft, defacement, pivoting, or use as a staging point for further intrusion. Unauthenticated file upload bugs in WordPress plugins are a perennial target for opportunistic mass-exploitation campaigns, so internet-facing installs should be considered high-risk.
What's Vulnerable
- Product: ProSolution WP Client plugin for WordPress
- Affected versions: Up to and including 2.0.0
- Vulnerable code paths:
includes/UploadHandler.php(lines 384 and 1345) andpublic/class-prosolwpclient-public.php(lines 998 and 1072), as referenced in the WordPress plugins trac - Attack prerequisites: None; exploitation requires no authentication and no user interaction, only network access to the target site
The CVE is not present in the CISA KEV catalog at the time of publication; no confirmation of in-the-wild exploitation is asserted by the supplied source material.
Patch Status
The NVD record (vulnStatus: Deferred) does not enumerate a fixed version in the supplied data. Administrators of sites running ProSolution WP Client should consult the Wordfence advisory and the plugin's WordPress.org trac history for the latest fixed release, and disable or remove the plugin until they can confirm they are running a patched version.