Description
Unrestricted Upload of File with Dangerous Type vulnerability in LiquidThemes LogisticsHub logistics-hub allows Upload a Web Shell to a Web Server.This issue affects LogisticsHub: from n/a through <= 1.1.6.
Published: 2025-07-04
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exposes an unrestricted file upload interface that permits the upload of arbitrary files, including executable scripts. An attacker can use the flaw to place a web shell on the server, enabling the execution of arbitrary code and potentially full compromise of the WordPress site. This weakness is a classic file upload vulnerability classified as CWE-434, leading to remote code execution, which can compromise confidentiality, integrity, and availability.

Affected Systems

All installations of the LiquidThemes LogisticsHub WordPress theme version 1.1.6 or earlier are vulnerable. The flaw applies to every deployment that has not upgraded beyond version 1.1.6.

Risk and Exploitability

With a CVSS score of 10, the flaw is rated as critical. The EPSS score of less than 1% indicates that the likelihood of exploitation is currently low, and the vulnerability is not listed in the CISA KEV catalog. The most likely attack vector involves utilizing the theme’s upload functionality; based on the description, it is inferred that an attacker would need authenticated upload privileges to exploit the issue, although the CVE does not explicitly state whether unauthenticated uploads are possible.

Generated by OpenCVE AI on May 2, 2026 at 01:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the LogisticsHub theme to the latest available release that removes the file upload flaw.
  • If an upgrade cannot be performed immediately, disable the theme’s upload capability or delete any uploaded files that might contain malicious content.
  • Configure web server and application firewalls to reject the upload of executable or script file types such as .php, .phtml, and .exe, and enforce strict MIME type validation.

Generated by OpenCVE AI on May 2, 2026 at 01:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19974 Unrestricted Upload of File with Dangerous Type vulnerability in LiquidThemes LogisticsHub allows Upload a Web Shell to a Web Server. This issue affects LogisticsHub: from n/a through 1.1.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in LiquidThemes LogisticsHub allows Upload a Web Shell to a Web Server. This issue affects LogisticsHub: from n/a through 1.1.6. Unrestricted Upload of File with Dangerous Type vulnerability in LiquidThemes LogisticsHub logistics-hub allows Upload a Web Shell to a Web Server.This issue affects LogisticsHub: from n/a through <= 1.1.6.
Title WordPress LogisticsHub <= 1.1.6 - Arbitrary File Upload Vulnerability WordPress LogisticsHub theme <= 1.1.6 - Arbitrary File Upload Vulnerability
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Mon, 07 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 04 Jul 2025 11:30:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in LiquidThemes LogisticsHub allows Upload a Web Shell to a Web Server. This issue affects LogisticsHub: from n/a through 1.1.6.
Title WordPress LogisticsHub <= 1.1.6 - Arbitrary File Upload Vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:00.961Z

Reserved: 2025-03-26T09:22:01.079Z

Link: CVE-2025-30933

cve-icon Vulnrichment

Updated: 2025-07-07T14:04:54.629Z

cve-icon NVD

Status : Deferred

Published: 2025-07-04T12:15:27.607

Modified: 2026-04-23T15:27:21.250

Link: CVE-2025-30933

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:15:06Z

Weaknesses