Description
Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Instantio instantio allows Upload a Web Shell to a Web Server.This issue affects Instantio: from n/a through <= 3.3.16.
Published: 2025-05-07
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to upload a file with a dangerous type, specifically a web shell, to the server via the Themefic Instantio plugin. This could give the attacker complete code execution privileges on the affected WordPress site, leading to full compromise of the web server and any data stored there. The weakness is a classic instance of unrestricted file upload (CWE‑434) that enables direct insertion of executable code into the web environment.

Affected Systems

The flaw exists in Themefic Instantio for WordPress, affecting all versions up to and including 3.3.16. The plugin is installed on WordPress sites, so any site running a vulnerable version of Instantio is at risk.

Risk and Exploitability

With a CVSS score of 6.6 and an EPSS score below 1%, the severity is moderate but the likelihood of exploitation remains low and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be local to the application context: an authenticated WordPress administrator could exploit the flaw through the plugin’s upload interface, but an unauthenticated attacker would first need to compromise administrative credentials or access.

Generated by OpenCVE AI on April 30, 2026 at 13:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Instantio plugin to the latest version (any release newer than 3.3.16); keep the plugin up to date to receive security fixes.
  • If the plugin is no longer required, uninstall or disable it to remove the attack surface entirely.
  • Apply server‑level or web‑application firewall rules to block execution of uploaded files with PHP extensions or other dangerous types as a temporary containment measure until a patch is applied.

Generated by OpenCVE AI on April 30, 2026 at 13:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13786 Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Instantio allows Upload a Web Shell to a Web Server. This issue affects Instantio: from n/a through 3.3.16.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Instantio allows Upload a Web Shell to a Web Server. This issue affects Instantio: from n/a through 3.3.16. Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Instantio instantio allows Upload a Web Shell to a Web Server.This issue affects Instantio: from n/a through <= 3.3.16.
Title WordPress Instantio <= 3.3.16 - Arbitrary File Upload Vulnerability WordPress Instantio plugin <= 3.3.16 - Arbitrary File Upload Vulnerability
References
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00081}

 epss

{'score': 0.00085}

Mon, 12 May 2025 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Themefic
Themefic instantio
CPEs cpe:2.3:a:themefic:instantio:*:*:*:*:*:wordpress:*:*
Vendors & Products Themefic
Themefic instantio

Fri, 09 May 2025 08:30:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Instantio allows Upload a Web Shell to a Web Server. This issue affects Instantio: from n/a through 3.3.16. Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Instantio allows Upload a Web Shell to a Web Server. This issue affects Instantio: from n/a through 3.3.16.
References

Wed, 07 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 May 2025 14:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Instantio allows Upload a Web Shell to a Web Server. This issue affects Instantio: from n/a through 3.3.16.
Title WordPress Instantio <= 3.3.16 - Arbitrary File Upload Vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L'}

Subscriptions

Themefic Instantio
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:44.721Z

Reserved: 2025-05-07T09:40:00.789Z

Link: CVE-2025-47550

cve-icon Vulnrichment

Updated: 2025-05-07T17:20:14.575Z

cve-icon NVD

Status : Modified

Published: 2025-05-07T15:16:11.923

Modified: 2026-04-23T15:30:28.187

Link: CVE-2025-47550

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T13:30:15Z

Weaknesses