Description
Unrestricted Upload of File with Dangerous Type vulnerability in CMSSuperHeroes Clanora clanora allows Using Malicious Files.This issue affects Clanora: from n/a through < 1.3.1.
Published: 2025-10-22
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CMSSuperHeroes Clanora theme includes an unrestricted upload mechanism that permits the transfer of files categorized as dangerous types. This flaw, identified as CWE‑434, enables an attacker to place malicious files on a WordPress site. The CVE description notes only the ability to upload such files; it does not specify the subsequent effects if those files are executed or accessed.

Affected Systems

All installations of the Clanora WordPress theme with a version older than 1.3.1 are affected. No specific patch version is mentioned beyond the stated threshold, so any deployment running a pre‑1.3.1 release is potentially vulnerable.

Risk and Exploitability

The CVSS score of 10 points classifies this vulnerability as critical. The EPSS score is below 1 %, indicating that exploitation is not widely observed, though it remains possible. The issue is not listed in CISA’s KEV catalog. The CVE description does not detail the attack vector or authentication requirements, so it is unclear whether the upload endpoint requires administrative privileges or can be accessed publicly. The vulnerability’s primary risk lies in the ability to upload arbitrary content that the server may treat as executable or otherwise malicious.

Generated by OpenCVE AI on April 29, 2026 at 23:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Clanora theme to version 1.3.1 or later, which removes the unrestricted upload functionality.
  • If the theme cannot be upgraded immediately, disable or remove the upload feature provided by the theme, and enforce file‑type restrictions using WordPress settings or a security plugin.
  • Configure the upload directory so that it is not executable—apply appropriate file permissions or .htaccess directives—and monitor logs for unexpected file uploads.

Generated by OpenCVE AI on April 29, 2026 at 23:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}

 cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in CMSSuperHeroes Clanora clanora allows Using Malicious Files.This issue affects Clanora: from n/a through < 1.3.1.
Title WordPress Clanora theme < 1.3.1 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:18:43.355Z

Reserved: 2025-05-15T17:54:35.012Z

Link: CVE-2025-48106

cve-icon Vulnrichment

Updated: 2025-10-22T20:01:34.271Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:34.880

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-48106

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T00:00:14Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type