Description
Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Wiguard wiguard allows Upload a Web Shell to a Web Server.This issue affects Wiguard: from n/a through < 2.0.1.
Published: 2026-02-20
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unrestricted upload of dangerous‑typed files in earlier versions of Wiguard allows an attacker to place a web shell directly on the server, providing full execution authority on the underlying application stack. The vulnerability stems from a missing validation filter, aligning with CWE‑434, and could lead to disclosure, integrity, or availability compromise for every user following a successful upload.

Affected Systems

The Wiguard WordPress theme is vulnerable in all releases prior to version 2.0.1, including those still installed on sites that have not applied the latest update. Any WordPress installation using one of those older builds is affected.

Risk and Exploitability

The CVSS score of 9.9 classifies this as a critical flaw. EPSS indicates an exploitation probability of under 1 %, but that does not eliminate risk. The vulnerability is not listed in CISA KEV. Attackers can exploit it through the theme’s file‑upload interface, which, if accessible to authenticated or unauthenticated users, can lead to remote code execution without additional system access. Because the flaw allows the placement of executable code on the web server, an attacker who can upload can then run code with the permissions of the web application.

Generated by OpenCVE AI on April 29, 2026 at 11:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Wiguard theme to version 2.0.1 or later to eliminate the missing file‑type validation.
  • If an upgrade is not yet possible, disable the theme’s file‑upload capability or block all uploads to directories that are served publicly.
  • Configure the web server or application to reject or deny execution of files with extensions such as .php, .pl, or .sh in the upload directories.
  • Continuously monitor the upload directories for newly added files with executable extensions and remove any detected web shells immediately.

Generated by OpenCVE AI on April 29, 2026 at 11:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Zozothemes
Zozothemes wiguard
Vendors & Products Wordpress
Wordpress wordpress
Zozothemes
Zozothemes wiguard

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Wiguard wiguard allows Upload a Web Shell to a Web Server.This issue affects Wiguard: from n/a through < 2.0.1.
Title WordPress Wiguard theme < 2.0.1 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References

Subscriptions

Wordpress Wordpress
Zozothemes Wiguard
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:01:36.353Z

Reserved: 2025-12-19T10:17:17.171Z

Link: CVE-2025-68549

cve-icon Vulnrichment

Updated: 2026-02-25T18:35:04.823Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:12.037

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68549

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:15:09Z

Weaknesses