Description
Subscriber Arbitrary File Upload in Grip <= 1.0.9 versions.
Published: 2026-06-17
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an arbitrary file upload flaw that allows a subscriber-level user to upload files via the Grip theme. By uploading a malicious PHP payload and triggering plugin activation or deactivation, the attacker can execute code on the affected WordPress site. The issue is classified under CWE‑434, indicating an insecure file upload weakness that can lead to full system compromise.

Affected Systems

The attack affects the Zidithemes Grip theme, versions 1.0.9 and earlier.

Risk and Exploitability

The vulnerability receives a CVSS score of 9.9, indicating critical severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote; an attacker needs authenticated access as a subscriber to trigger the upload and plugin management operations, after which arbitrary code execution is possible.

Generated by OpenCVE AI on June 18, 2026 at 12:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Grip theme to a version newer than 1.0.9 that removes the insecure upload handling.
  • If an update is not yet available, uninstall the Grip theme or replace it with a secure alternative.
  • Restrict file upload permissions by limiting who can upload files via the theme, ensuring only trusted administrators can perform plugin activation/deactivation.
  • Configure the web server to prevent execution of uploaded files in the plugins directory by setting the appropriate filesystem permissions or disabling PHP execution for that folder.

Generated by OpenCVE AI on June 18, 2026 at 12:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Zidithemes
Zidithemes grip
Vendors & Products Wordpress
Wordpress wordpress
Zidithemes
Zidithemes grip

Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Subscriber Arbitrary File Upload in Grip <= 1.0.9 versions.
Title WordPress Grip theme <= 1.0.9 - Arbitrary Plugin Activation/Deactivation to RCE vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Wordpress Wordpress
Zidithemes Grip
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T12:41:59.517Z

Reserved: 2024-11-11T06:40:25.496Z

Link: CVE-2024-52488

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:04:59Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type