ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-6555 Unauthenticated Arbitrary File Upload in ProSolution WP Client Leading to Remote Code Execution

A short review of CVE-2026-6555, a critical CVSS 9.8 arbitrary file upload vulnerability in the ProSolution WP Client WordPress plugin that allows unauthenticated attackers to bypass file validation and achieve remote code execution through an array validation mismatch.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-19

Brief Summary: CVE-2026-6555 Unauthenticated Arbitrary File Upload in ProSolution WP Client Leading to Remote Code Execution
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An array validation mismatch in the ProSolution WP Client plugin for WordPress allows unauthenticated attackers to upload arbitrary PHP files and achieve remote code execution, earning a CVSS score of 9.8. The flaw is deceptively simple: the plugin validates only the first file in a multi-file upload request, then processes and saves every file in the array to a publicly accessible directory.

ProSolution WP Client is a WordPress plugin that serves as a client for WorkExpert, an ERP software designed for temporary work businesses, connecting WordPress sites to WorkExpert's job portal and online application features. The plugin has a small footprint with roughly 20+ active installations. While the install base is limited, the severity of unauthenticated remote code execution makes this worth understanding for anyone managing WordPress environments or conducting plugin security assessments.

Technical Information

The root cause of CVE-2026-6555 lies in the proSol_fileUploadProcess function within class-prosolwpclient-public.php in version 2.0.0 of the plugin. This function is responsible for handling file uploads submitted through the plugin's public forms. The critical flaw is that the function only inspects the first element of the uploaded files array.

Specifically, the code checks $submit_data['name'][0] and $submit_data['tmp_name'][0] to verify the file extension against a whitelist of safe types (such as jpg, png, and pdf). It also verifies the true MIME type of this first file. These are reasonable security checks on their own, but they are only applied to index zero of the array.

After this single-file validation passes, the plugin hands the entire upload array off to the UploadHandler class (defined in includes/UploadHandler.php). The UploadHandler uses a foreach loop to iterate over every file in the $upload['tmp_name'] array. It processes and moves all files to the server's public directory without performing any additional extension or MIME type validation.

Attack Flow

The exploitation path is straightforward:

  1. An unauthenticated attacker identifies a WordPress site running ProSolution WP Client version 2.0.0 or earlier.
  2. The attacker constructs a multipart form POST request targeting the plugin's file upload endpoint. The request contains an array of files rather than a single file.
  3. At index [0] of the files array, the attacker places a legitimate image file (for example, a valid JPEG). This file passes the extension whitelist check and the MIME type verification in proSol_fileUploadProcess.
  4. At index [1] (or any subsequent index), the attacker places a malicious PHP file, such as a web shell.
  5. The proSol_fileUploadProcess function validates only the first file and, finding it acceptable, passes the entire array to UploadHandler.
  6. The UploadHandler iterates over all files and writes both the legitimate image and the malicious PHP file to a web-accessible directory on the server.
  7. The attacker navigates to the URL of the uploaded PHP file and achieves remote code execution.

No authentication is required at any point in this chain. The exploit complexity is low, requiring only basic knowledge of how to construct multipart form requests with array-style file parameters.

This vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). The core issue is an architectural disconnect between the validation logic and the processing logic: one component assumes a single file, while the other handles an arbitrary number of files.

Affected Systems and Versions

The following versions of the ProSolution WP Client plugin for WordPress are affected:

Version RangeVulnerability
Versions up to and including 2.0.0CVE-2026-6555: Array validation mismatch allowing unauthenticated arbitrary file upload
Versions up to and including 1.9.9CVE-2026-2942: Unauthenticated arbitrary file upload via proSol_fileUploadProcess

Any WordPress installation running ProSolution WP Client version 2.0.0 or earlier is vulnerable. The plugin requires the WorkExpert ERP backend to function, so affected deployments will be sites integrated with WorkExpert's job portal and application features.

Vendor Security History

ProSolution has a documented pattern of recurring file upload security issues in this plugin:

  • Version 1.8.9: Fixed a case-sensitive extension bypass in the upload validation logic.
  • Version 1.9.3: Added server-side file extension checks, suggesting prior versions lacked them entirely.
  • CVE-2026-2942 (April 2026): An unauthenticated arbitrary file upload vulnerability affecting versions up to 1.9.9, exploiting the same proSol_fileUploadProcess function.
  • CVE-2026-6555 (May 2026): The current vulnerability in version 2.0.0, where the fix for the previous CVE introduced a new validation gap by only checking the first file in an array.

This pattern of repeated upload security weaknesses across multiple versions suggests systemic issues with the plugin's approach to file upload security. Each fix has addressed a specific bypass without comprehensively hardening the upload pipeline. Organizations that depend on this plugin should weigh the risk of continued use against the vendor's track record.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization