Description
Unrestricted Upload of File with Dangerous Type vulnerability in Themify Themify Sidepane WordPress Theme, Themify Themify Newsy, Themify Themify Folo, Themify Themify Edmin, Themify Bloggie, Themify Photobox, Themify Wigi, Themify Rezo, Themify Slide allows Upload a Web Shell to a Web Server.This issue affects Themify Sidepane WordPress Theme: from n/a through 1.9.8; Themify Newsy: from n/a through 1.9.9; Themify Folo: from n/a through 1.9.6; Themify Edmin: from n/a through 2.0.0; Bloggie: from n/a through 2.0.8; Photobox: from n/a through 2.0.1; Wigi: from n/a through 2.0.1; Rezo: from n/a through 1.9.7; Slide: from n/a through 1.7.5.
Published: 2026-01-06
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unrestricted file upload vulnerability allows attackers to upload files with dangerous types, including web shells, into the server’s file system. The flaw can lead to remote code execution for the website’s owner.

Affected Systems

Affected products include the Themify Sidepane WordPress Theme (up to version 1.9.8), Themify Newsy WordPress Theme (up to 1.9.9), Themify Folo WordPress Theme (up to 1.9.6), Themify Edmin WordPress Theme (up to 2.0.0), Bloggie WordPress Theme (up to 2.0.8), Photobox WordPress Theme (up to 2.0.1), Wigi WordPress Theme (up to 2.0.1), Rezo WordPress Theme (up to 1.9.7), and Slide WordPress Theme (up to 1.7.5).

Risk and Exploitability

The CVSS score of 9.9 reflects a high severity due to the potential for executing arbitrary code. The EPSS score of less than 1% shows a low current probability of exploitation, and the vulnerability is not listed in CISA KEV. Attackers can likely exploit the flaw by accessing the theme’s upload interface over the web, without needing privileged account access, and upload a web shell that is then executable on the server.

Generated by OpenCVE AI on May 1, 2026 at 05:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade all affected Themify themes to the latest available releases.
  • If an update is unavailable, disable or restrict the upload functionality in the theme settings and configure the web server to allow only safe file types such as .jpg, .png, and .gif.
  • Add a web application firewall rule to block the execution of uploaded files and to filter known shell patterns.
  • Regularly monitor server logs for unexpected file uploads or execution attempts.

Generated by OpenCVE AI on May 1, 2026 at 05:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in Themify Themify Newsy newsy allows Upload a Web Shell to a Web Server.This issue affects Themify Newsy: from n/a through <= 1.9.9. Unrestricted Upload of File with Dangerous Type vulnerability in Themify Themify Sidepane WordPress Theme, Themify Themify Newsy, Themify Themify Folo, Themify Themify Edmin, Themify Bloggie, Themify Photobox, Themify Wigi, Themify Rezo, Themify Slide allows Upload a Web Shell to a Web Server.This issue affects Themify Sidepane WordPress Theme: from n/a through 1.9.8; Themify Newsy: from n/a through 1.9.9; Themify Folo: from n/a through 1.9.6; Themify Edmin: from n/a through 2.0.0; Bloggie: from n/a through 2.0.8; Photobox: from n/a through 2.0.1; Wigi: from n/a through 2.0.1; Rezo: from n/a through 1.9.7; Slide: from n/a through 1.7.5.
Title WordPress Themify Newsy <= 1.9.9 - Arbitrary File Upload Vulnerability Arbitrary File Upload Vulnerability in WordPress themes by Themify
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in Themify Themify Sidepane WordPress Theme, Themify Themify Newsy, Themify Themify Folo, Themify Themify Edmin, Themify Bloggie, Themify Photobox, Themify Wigi, Themify Rezo, Themify Slide allows Upload a Web Shell to a Web Server.This issue affects Themify Sidepane WordPress Theme: from n/a through 1.9.8; Themify Newsy: from n/a through 1.9.9; Themify Folo: from n/a through 1.9.6; Themify Edmin: from n/a through 2.0.0; Bloggie: from n/a through 2.0.8; Photobox: from n/a through 2.0.1; Wigi: from n/a through 2.0.1; Rezo: from n/a through 1.9.7; Slide: from n/a through 1.7.5. Unrestricted Upload of File with Dangerous Type vulnerability in Themify Themify Newsy newsy allows Upload a Web Shell to a Web Server.This issue affects Themify Newsy: from n/a through <= 1.9.9.
Title Arbitrary File Upload Vulnerability in WordPress themes by Themify WordPress Themify Newsy <= 1.9.9 - Arbitrary File Upload Vulnerability
References

Wed, 07 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Themify
Themify bloggie
Themify edmin
Themify folo
Themify newsy
Themify photobox
Themify rezo
Themify sidepane Wordpress Theme
Themify slide
Themify wigi
Wordpress
Wordpress wordpress
Vendors & Products Themify
Themify bloggie
Themify edmin
Themify folo
Themify newsy
Themify photobox
Themify rezo
Themify sidepane Wordpress Theme
Themify slide
Themify wigi
Wordpress
Wordpress wordpress

Tue, 06 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 21:00:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in Themify Themify Sidepane WordPress Theme, Themify Themify Newsy, Themify Themify Folo, Themify Themify Edmin, Themify Bloggie, Themify Photobox, Themify Wigi, Themify Rezo, Themify Slide allows Upload a Web Shell to a Web Server.This issue affects Themify Sidepane WordPress Theme: from n/a through 1.9.8; Themify Newsy: from n/a through 1.9.9; Themify Folo: from n/a through 1.9.6; Themify Edmin: from n/a through 2.0.0; Bloggie: from n/a through 2.0.8; Photobox: from n/a through 2.0.1; Wigi: from n/a through 2.0.1; Rezo: from n/a through 1.9.7; Slide: from n/a through 1.7.5.
Title Arbitrary File Upload Vulnerability in WordPress themes by Themify
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Themify Bloggie Edmin Folo Newsy Photobox Rezo Sidepane Wordpress Theme Slide Wigi
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:03.361Z

Reserved: 2025-03-26T09:22:48.161Z

Link: CVE-2025-30996

cve-icon Vulnrichment

Updated: 2026-01-06T21:05:03.159Z

cve-icon NVD

Status : Deferred

Published: 2026-01-06T21:15:42.560

Modified: 2026-04-28T19:30:52.727

Link: CVE-2025-30996

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:00:13Z

Weaknesses