Introduction
An array validation mismatch in the ProSolution WP Client plugin for WordPress allows unauthenticated attackers to upload arbitrary PHP files and achieve remote code execution, earning a CVSS score of 9.8. The flaw is deceptively simple: the plugin validates only the first file in a multi-file upload request, then processes and saves every file in the array to a publicly accessible directory.
ProSolution WP Client is a WordPress plugin that serves as a client for WorkExpert, an ERP software designed for temporary work businesses, connecting WordPress sites to WorkExpert's job portal and online application features. The plugin has a small footprint with roughly 20+ active installations. While the install base is limited, the severity of unauthenticated remote code execution makes this worth understanding for anyone managing WordPress environments or conducting plugin security assessments.
Technical Information
The root cause of CVE-2026-6555 lies in the proSol_fileUploadProcess function within class-prosolwpclient-public.php in version 2.0.0 of the plugin. This function is responsible for handling file uploads submitted through the plugin's public forms. The critical flaw is that the function only inspects the first element of the uploaded files array.
Specifically, the code checks $submit_data['name'][0] and $submit_data['tmp_name'][0] to verify the file extension against a whitelist of safe types (such as jpg, png, and pdf). It also verifies the true MIME type of this first file. These are reasonable security checks on their own, but they are only applied to index zero of the array.
After this single-file validation passes, the plugin hands the entire upload array off to the UploadHandler class (defined in includes/UploadHandler.php). The UploadHandler uses a foreach loop to iterate over every file in the $upload['tmp_name'] array. It processes and moves all files to the server's public directory without performing any additional extension or MIME type validation.
Attack Flow
The exploitation path is straightforward:
- An unauthenticated attacker identifies a WordPress site running ProSolution WP Client version 2.0.0 or earlier.
- The attacker constructs a multipart form POST request targeting the plugin's file upload endpoint. The request contains an array of files rather than a single file.
- At index
[0]of the files array, the attacker places a legitimate image file (for example, a valid JPEG). This file passes the extension whitelist check and the MIME type verification inproSol_fileUploadProcess. - At index
[1](or any subsequent index), the attacker places a malicious PHP file, such as a web shell. - The
proSol_fileUploadProcessfunction validates only the first file and, finding it acceptable, passes the entire array toUploadHandler. - The
UploadHandleriterates over all files and writes both the legitimate image and the malicious PHP file to a web-accessible directory on the server. - The attacker navigates to the URL of the uploaded PHP file and achieves remote code execution.
No authentication is required at any point in this chain. The exploit complexity is low, requiring only basic knowledge of how to construct multipart form requests with array-style file parameters.
This vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). The core issue is an architectural disconnect between the validation logic and the processing logic: one component assumes a single file, while the other handles an arbitrary number of files.
Affected Systems and Versions
The following versions of the ProSolution WP Client plugin for WordPress are affected:
| Version Range | Vulnerability |
|---|---|
| Versions up to and including 2.0.0 | CVE-2026-6555: Array validation mismatch allowing unauthenticated arbitrary file upload |
| Versions up to and including 1.9.9 | CVE-2026-2942: Unauthenticated arbitrary file upload via proSol_fileUploadProcess |
Any WordPress installation running ProSolution WP Client version 2.0.0 or earlier is vulnerable. The plugin requires the WorkExpert ERP backend to function, so affected deployments will be sites integrated with WorkExpert's job portal and application features.
Vendor Security History
ProSolution has a documented pattern of recurring file upload security issues in this plugin:
- Version 1.8.9: Fixed a case-sensitive extension bypass in the upload validation logic.
- Version 1.9.3: Added server-side file extension checks, suggesting prior versions lacked them entirely.
- CVE-2026-2942 (April 2026): An unauthenticated arbitrary file upload vulnerability affecting versions up to 1.9.9, exploiting the same
proSol_fileUploadProcessfunction. - CVE-2026-6555 (May 2026): The current vulnerability in version 2.0.0, where the fix for the previous CVE introduced a new validation gap by only checking the first file in an array.
This pattern of repeated upload security weaknesses across multiple versions suggests systemic issues with the plugin's approach to file upload security. Each fix has addressed a specific bypass without comprehensively hardening the upload pipeline. Organizations that depend on this plugin should weigh the risk of continued use against the vendor's track record.
References
- Wordfence Threat Intel: ProSolution WP Client <= 2.0.0 Unauthenticated Arbitrary File Upload
- CVE Record: CVE-2026-6555
- UploadHandler.php (tag 2.0.0, line 1345)
- UploadHandler.php (tag 2.0.0, line 384)
- class-prosolwpclient-public.php (tag 2.0.0, line 1072)
- class-prosolwpclient-public.php (tag 2.0.0, line 998)
- UploadHandler.php (trunk, line 1345)
- UploadHandler.php (trunk, line 384)
- class-prosolwpclient-public.php (trunk, line 1072)
- class-prosolwpclient-public.php (trunk, line 998)
- ProSolution WP Client WordPress Plugin Page
- GitHub Advisory: GHSA-58qw-hm39-96q8
- NVD: CVE-2026-2942 (related prior vulnerability)



