CVE-2026-6555
Deferred Deferred - Pending Action
Arbitrary File Upload in ProSolution WP Client WordPress Plugin

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: Wordfence

Description
The ProSolution WP Client plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to, and including, 2.0.0. This is due to an array validation mismatch where only the first file in the upload array undergoes extension and MIME type validation, while all files are processed and uploaded to a web-accessible directory. This makes it possible for unauthenticated attackers to upload malicious PHP files and achieve remote code execution by sending a valid first file followed by a malicious file.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-6555
EUVD
EUVD-2026-31016
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
prosolution wp_client to 2.0.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated attackers to upload malicious PHP files and achieve remote code execution on affected systems. This can lead to unauthorized access, data breaches, and potential manipulation or theft of sensitive information.

Such security weaknesses can impact compliance with common standards and regulations like GDPR and HIPAA, which require organizations to protect personal and sensitive data against unauthorized access and ensure system integrity.

Failure to address this vulnerability could result in violations of these regulations due to compromised confidentiality, integrity, and availability of data.

Executive Summary

The ProSolution WP Client plugin for WordPress has a vulnerability in versions up to and including 2.0.0 that allows arbitrary file uploads. This happens because only the first file in an upload array is properly checked for its file extension and MIME type, while subsequent files are not validated and are uploaded directly to a web-accessible directory.

As a result, an unauthenticated attacker can upload malicious PHP files by sending a valid first file followed by a malicious one, potentially leading to remote code execution on the affected server.

Impact Analysis

This vulnerability can have severe impacts including allowing attackers to execute arbitrary code remotely on your server. This can lead to full system compromise, unauthorized access to sensitive data, defacement of your website, or using your server as a launchpad for further attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6555. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart