The cmsMinds Boat Rental Plugin for WordPress versions up to 1.0.1 contains an unrestricted file upload vulnerability that permits attackers to upload files of dangerous types, such as web shells, to the server. This vulnerability allows remote attackers to execute arbitrary code on the affected system without any authentication or user interaction. The issue is classified as critical with a CVSS 3.1 base score of 10.0, reflecting its ease of exploitation and severe impact on confidentiality, integrity, and availability. No patch or official fix has been documented yet, and the plugin is not a cloud service, so remediation depends on vendor updates or user mitigation.

Successful exploitation of this vulnerability can lead to complete compromise of the web server hosting the vulnerable plugin. Attackers can upload and execute arbitrary code, potentially gaining full control over the affected system, leading to data theft, service disruption, or further network penetration. The vulnerability requires no privileges or user interaction and can be exploited remotely over the network.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or removing the vulnerable plugin to prevent exploitation. Monitoring for unusual file uploads and restricting file upload permissions may provide temporary risk reduction but do not fully mitigate the vulnerability.