An attacker can upload any file type to the WordPress server using the Flozen theme’s upload interface, including web shells. Once uploaded, the malicious file can be accessed and executed, enabling full remote code execution on the host. The vulnerability arises from the absence of proper MIME type validation, allowing files with dangerous extensions to bypass security controls. The weakness is classified as CWE-434, which highlights the risk of arbitrary file upload without validation.

The affected product is the NasaTheme Flozen WordPress theme. Versions from the first released snapshot through 1.5.0 (inclusive) are vulnerable; version 1.5.1 and later contain the necessary fix, but no exact lower bound is specified. The vulnerability applies to any WordPress installation that utilizes this theme and permits file uploads via its interface.

The CVSS base score of 10 marks the issue as critical, and the EPSS score indicates a very low, but nonzero, likelihood of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. It is inferred that the attack vector is a web-based upload endpoint exposed by the Flozen theme, and that an attacker may need access to a user account with upload privileges to exploit it. Once the file is uploaded, an attacker can execute the payload directly from the web server, potentially compromising the entire site.