PatchSiren cyber security CVE debrief
CVE-2026-6555 prosolution CVE debrief
The ProSolution WP Client plugin for WordPress contains a critical arbitrary file upload vulnerability affecting versions up to and including 2.0.0. The flaw stems from an array validation mismatch in the file upload handling logic: only the first file in a multi-file upload array undergoes extension and MIME type validation, while all files in the array are subsequently processed and uploaded to a web-accessible directory. This validation gap enables unauthenticated attackers to bypass security controls by submitting a benign first file followed by malicious PHP files, achieving remote code execution on affected systems. The vulnerability was disclosed on 2026-05-20 and carries a CVSS 3.1 score of 9.8 (Critical). The underlying weakness is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type).
- Vendor
- prosolution
- Product
- ProSolution WP Client
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-20
Who should care
WordPress site administrators using ProSolution WP Client plugin; security operations teams monitoring WordPress plugin vulnerabilities; web hosting providers with shared WordPress environments; incident response teams investigating potential compromise of WordPress installations
Technical summary
The vulnerability exists in the ProSolution WP Client plugin's file upload handling mechanism. When processing multi-file uploads, the plugin's validation logic (located in UploadHandler.php and class-prosolwpclient-public.php) only inspects the first array element for permitted extensions and MIME types. Subsequent array elements bypass this validation yet are still processed through the upload pipeline and written to publicly accessible directories. Attackers can exploit this by crafting multipart/form-data requests with a compliant first file followed by arbitrary PHP payloads. Successful exploitation grants unauthenticated remote code execution with the privileges of the web server process. The flaw affects both the 2.0.0 release tag and trunk development versions as of disclosure.
Defensive priority
critical
Recommended defensive actions
- Immediately upgrade ProSolution WP Client plugin to a version beyond 2.0.0 if a patched release becomes available
- Temporarily disable or remove the ProSolution WP Client plugin if patching is not immediately feasible
- Implement Web Application Firewall (WAF) rules to block multi-file upload requests to ProSolution WP Client endpoints pending patch availability
- Review web server access logs for suspicious file upload patterns, particularly PHP files uploaded via plugin endpoints
- Restrict file upload directories to non-executable permissions where possible
- Monitor for unauthorized PHP file creation in wp-content/uploads and plugin-specific upload directories
Evidence notes
Vulnerability confirmed via Wordfence security advisory and WordPress plugin repository source code references. Multiple source code locations identified in both tagged release (2.0.0) and trunk versions. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Official resources
2026-05-20