Description
Unrestricted Upload of File with Dangerous Type vulnerability in CMSSuperHeroes Wastia wastia allows Upload a Web Shell to a Web Server.This issue affects Wastia: from n/a through < 1.1.3.
Published: 2025-10-22
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an arbitrary file upload flaw that allows an attacker to upload a web shell to the target WordPress site. The flaw stems from improper type validation, marked as CWE‑434, and can enable execution of malicious code. Attackers can place executable files or scripts that grant control over the web server, leading to full system compromise, data exfiltration, or defacement.

Affected Systems

Vendors affected are CMSSuperHeroes for the Wastia theme. All versions prior to 1.1.3 are vulnerable, including unspecified older releases up to 1.1.2. Any WordPress installation using these versions of the Wastia theme is at risk.

Risk and Exploitability

The CVSS score of 10 indicates maximum severity, while the EPSS score of less than 1% suggests exploitation attempts are unlikely but still possible. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through the theme’s file upload interface, where an attacker with the ability to submit files can upload a web shell. No additional prerequisites are specified, so the flaw likely remains exploitable whenever the upload feature is enabled.

Generated by OpenCVE AI on April 29, 2026 at 16:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Wastia theme to version 1.1.3 or later.
  • Restrict file uploads by limiting authorized users or disabling the upload feature for untrusted accounts.
  • Monitor the upload directory for unexpected or executable files and block dangerous file types through web server rules or a security plugin.

Generated by OpenCVE AI on April 29, 2026 at 16:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in CMSSuperHeroes Wastia wastia allows Upload a Web Shell to a Web Server.This issue affects Wastia: from n/a through < 1.1.3.
Title WordPress Wastia theme < 1.1.3 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:20:45.834Z

Reserved: 2025-05-30T14:04:42.919Z

Link: CVE-2025-49060

cve-icon Vulnrichment

Updated: 2025-10-22T20:04:30.496Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:35.160

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-49060

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T17:00:13Z

Weaknesses