The vulnerability resides in the io_img_upload() function within the WebStack theme for WordPress. This specific function lacks proper validation of file types during the upload process, allowing attackers to bypass security controls by uploading any file type, including executable scripts. Such files can be executed on the server, compromising the security and integrity of the site. This flaw is especially critical as it does not require authentication, making it easily exploitable. Successful exploitation may allow attackers to execute arbitrary code, maintain persistent access, or further exploit the server in other ways. Disturbingly, this vulnerability is present in all versions of the theme up to and including 1.2024.

To mitigate this vulnerability, site administrators should immediately apply file type validation for uploads—allowing only safe file formats such as JPG or PNG. They should also ensure the web server configuration does not allow execution of uploaded files. Consider using security plugins that monitor file changes, and implement Web Application Firewall (WAF) rules to filter and block malicious uploads.