Analysis
Impact
The vulnerability is an unrestricted file upload flaw that allows an attacker to upload files with dangerous types, such as PHP web shells, to a WordPress site using the 7oroof Medcity theme. This flaw gives the attacker the ability to execute arbitrary code on the web server, compromising confidentiality, integrity, and availability of the site and any data it hosts, and potentially allowing full system control. The weakness is identified as CWE‑434.
Affected Systems
All installations of the 7oroof Medcity WordPress theme running a version earlier than 1.1.9 are affected. Users who have not upgraded to 1.1.9 or later are at risk. The issue is limited to this theme within the WordPress ecosystem.
Risk and Exploitability
The CVSS base score of 10 highlights the maximum severity of this flaw. With an EPSS score of less than 1% the likelihood of exploitation in the wild is currently low, yet the impact remains catastrophic. The vulnerability is not yet cataloged in CISA's KEV program. Based on the description, it is inferred that the attack vector is via the theme’s upload functionality, which may be limited to users with certain WordPress roles but can be exploited through any available upload path by submitting a malicious file that bypasses MIME type checks, giving the attacker the ability to execute arbitrary code.
Mitre Data 
CPE Configurations
Affected Packages
OpenCVE Enrichment 
Vulnrichment