Description
Unrestricted Upload of File with Dangerous Type vulnerability in dkszone Eximius allows Using Malicious Files.This issue affects Eximius: from n/a through 2.2.
Published: 2025-05-19
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows WordPress site owners to upload files of disallowed or dangerous types to the Eximius theme, enabling attackers to place malicious code that may be executed by the web server. The weakness is classified as CWE‑434, which indicates a failure to verify or filter the file type of user‑supplied uploads. If an attacker uploads a script or executable file and the web server executes it, the attacker can compromise the confidentiality, integrity, and availability of the site.

Affected Systems

The issue affects the dkszone Eximius WordPress theme for all released versions up to and including 2.2. Versions 2.3 and later are not known to be affected according to the vendor statement.

Risk and Exploitability

The vulnerability scores a CVSS of 9.9, reflecting a high risk to exposed sites. The EPSS score is below 1%, suggesting that current exploit activity is minimal, and the vulnerability is not listed in CISA KEV. The likely attack vector is remote through the WordPress administrative interface or any user interface that permits file uploads, which an authenticated user could exploit to upload malicious files, resulting in possible remote code execution.

Generated by OpenCVE AI on May 2, 2026 at 01:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Eximius theme to version 2.3 or later, which removes the vulnerable upload functionality.
  • If an upgrade is delayed, restrict file uploads by configuring the site to allow only safe file types (such as images) and disable upload capabilities for untrusted users.
  • Deploy a web application firewall or security plugin that validates file MIME types and blocks execution of uploaded files located in the web root.

Generated by OpenCVE AI on May 2, 2026 at 01:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15753 Unrestricted Upload of File with Dangerous Type vulnerability in dkszone Eximius allows Using Malicious Files.This issue affects Eximius: from n/a through 2.2.
History

Tue, 28 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in dkszone Eximius eximius allows Using Malicious Files.This issue affects Eximius: from n/a through <= 2.2. Unrestricted Upload of File with Dangerous Type vulnerability in dkszone Eximius allows Using Malicious Files.This issue affects Eximius: from n/a through 2.2.
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in dkszone Eximius allows Using Malicious Files.This issue affects Eximius: from n/a through 2.2. Unrestricted Upload of File with Dangerous Type vulnerability in dkszone Eximius eximius allows Using Malicious Files.This issue affects Eximius: from n/a through <= 2.2.
References

Mon, 19 May 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 19 May 2025 18:15:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in dkszone Eximius allows Using Malicious Files.This issue affects Eximius: from n/a through 2.2.
Title WordPress Eximius theme <= 2.2 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:41.105Z

Reserved: 2025-02-17T11:49:35.313Z

Link: CVE-2025-26872

cve-icon Vulnrichment

Updated: 2025-05-19T21:14:36.825Z

cve-icon NVD

Status : Deferred

Published: 2025-05-19T18:15:28.013

Modified: 2026-04-28T19:29:46.307

Link: CVE-2025-26872

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:45:26Z

Weaknesses