This vulnerability in the WordPress Pie Register plugin allows unauthenticated attackers to bypass authentication by submitting a specially crafted POST request with the parameter social_site=true and a manipulated user_id_social_site value. This generates a valid WordPress session cookie for any user ID, including administrators. With this unauthorized session, attackers can upload malicious plugins containing arbitrary PHP code via the plugin's upload functionality, resulting in remote code execution on the underlying server. The issue combines CWE-434 (unrestricted file upload), CWE-306 (authentication bypass), and CWE-94 (code injection). The CVSS 4.0 base score is 10.0, reflecting a critical severity with network attack vector, no required privileges or user interaction, and high impacts on confidentiality, integrity, availability, and security requirements. No official patch or remediation guidance is currently provided by the vendor.

Successful exploitation allows unauthenticated attackers to impersonate any user, including administrators, and execute arbitrary PHP code on the server by uploading malicious plugins. This leads to full system compromise, including potential data theft, service disruption, and further malicious activity. The vulnerability has a CVSS 4.0 score of 10.0, indicating critical impact across confidentiality, integrity, availability, and security requirements.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the affected plugin and consider disabling or removing it to prevent exploitation. Monitor for unusual activity related to user sessions and file uploads. Avoid deploying this plugin in production environments until a patch or official mitigation is released.