Description
WordPress Theme Travelscape 1.0.3 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting insufficient validation in the theme's upload functionality. Attackers can upload arbitrary files to the theme directory and execute them to achieve remote code execution on the affected WordPress installation.
Published: 2026-06-08
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress Theme Travelscape 1.0.3 includes an arbitrary file upload flaw that allows attackers without authentication to place malicious files in the theme directory. The vulnerability stems from insufficient validation of uploaded file types, which means that an attacker can upload a script and then execute it on the server, gaining full control of the compromised WordPress installation.

Affected Systems

The affected product is the WordPress theme Travelscape, version 1.0.3, bundled with the WP Travel Kit. Systems running this theme without an updated version are vulnerable.

Risk and Exploitability

The CVSS score of 9.3 reflects a high likelihood of exploitation with potential for complete compromise. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, but the lack of any authentication requirement means an attacker can exploit this flaw from any unauthenticated network connection to the WordPress site. Consequently, the risk remains high until the vulnerability is mitigated.

Generated by OpenCVE AI on June 8, 2026 at 03:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Travelscape theme to the latest patched version or disable the theme and remove Travel Kit if no patch exists.
  • Remove or disable the theme’s file upload capability for non-admin users to eliminate the upload vector.
  • Enforce server‑side validation of uploaded files by restricting allowed MIME types and extensions, and use .htaccess rules or web‑server configuration to block execution of uploaded content in the theme directory.

Generated by OpenCVE AI on June 8, 2026 at 03:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wp Travel Kit
Wp Travel Kit travelscape
Vendors & Products Wordpress
Wordpress wordpress
Wp Travel Kit
Wp Travel Kit travelscape

Mon, 08 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
Description WordPress Theme Travelscape 1.0.3 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting insufficient validation in the theme's upload functionality. Attackers can upload arbitrary files to the theme directory and execute them to achieve remote code execution on the affected WordPress installation.
Title WordPress Theme Travelscape 1.0.3 Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Wordpress Wordpress
Wp Travel Kit Travelscape
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-08T12:59:54.092Z

Reserved: 2026-06-06T10:58:32.220Z

Link: CVE-2024-58349

cve-icon Vulnrichment

Updated: 2026-06-08T12:59:50.363Z

cve-icon NVD

Status : Deferred

Published: 2026-06-08T02:16:23.403

Modified: 2026-06-08T14:59:44.750

Link: CVE-2024-58349

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T08:57:38Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type