Unrestricted Upload of File with Dangerous Type vulnerability in Daan.Dev OMGF Pro allows Using Malicious Files. This issue affects OMGF Pro: from n/a through 5.2.6.
The vulnerability consists of a lack of proper restrictions on file types accepted by the upload mechanism in the OMGF Pro plugin. An attacker can upload a file of dangerous type (e.g., PHP script) to the target server without needing an account or user interaction. Once the malicious file is placed on the server, it is possible to execute it remotely, which leads to the compromise of the entire WordPress environment.
An attacker can gain full control over the server — read and modify data (C:H/I:H), as well as cause service unavailability (A:H). Remote code execution (RCE) on the server side is possible as well as attack escalation to other systems in the network (S:C — scope change).
The OMGF Pro plugin must be updated immediately to a version higher than 5.2.6. Detailed information about the available patch is available in the vendor's references and in the Patchstack database (https://patchstack.com/database/wordpress/plugin/host-google-fonts-pro/vulnerability/wordpress-omgf-pro-plugin-5-2-6-arbitrary-file-upload-vulnerability). Until the update is applied, it is recommended to disable or remove the plugin.
OMGF Pro plugin (WordPress) by Daan.Dev — versions from inception to 5.2.6 inclusive.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H