Description
Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Keenarch keenarch allows Using Malicious Files.This issue affects Keenarch: from n/a through < 2.0.1.
Published: 2026-03-05
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Keenarch WordPress theme allows an untrusted user to upload files of any type without proper validation, as described by CWE-434. This flaw lets an attacker place malicious scripts or executables on the web server, effectively compromising the confidentiality, integrity, and availability of the site. Successful exploitation can result in full site compromise, data theft, defacement, or the use of the host as part of a botnet.

Affected Systems

All installations of the zozothemes Keenarch theme that are on a version prior to 2.0.1 are affected. The vulnerability applies to every release version in the range from the first available version (n/a) up to but not including 2.0.1.

Risk and Exploitability

The CVSS base score of 9.9 indicates a critical level of severity, while the EPSS score of less than 1% signals a low current exploitation probability. The vulnerability is not yet included in the CISA KEV catalog. The likely attack vector is through the theme’s file upload interface, which accepts arbitrary file types and executes them if not properly sanitized.

Generated by OpenCVE AI on April 29, 2026 at 11:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Keenarch 2.0.1 or later to receive the vendor fix.
  • If an upgrade cannot be performed immediately, remove the theme from the WordPress installation and switch to a reputable theme that enforces MIME type restrictions.
  • Configure the web server to prohibit execution of files in the uploads directory, e.g., by adding a .htaccess rule that blocks .php, .js, or other executable extensions.
  • Supplement the restriction by enabling a Web Application Firewall that limits file uploads to safe MIME types and requires authentication for upload actions.

Generated by OpenCVE AI on April 29, 2026 at 11:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Zozothemes
Zozothemes keenarch
Vendors & Products Wordpress
Wordpress wordpress
Zozothemes
Zozothemes keenarch

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Keenarch keenarch allows Using Malicious Files.This issue affects Keenarch: from n/a through < 2.0.1.
Title WordPress Keenarch theme < 2.0.1 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References

Subscriptions

Wordpress Wordpress
Zozothemes Keenarch
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:01:55.199Z

Reserved: 2025-12-19T10:17:23.836Z

Link: CVE-2025-68554

cve-icon Vulnrichment

Updated: 2026-03-10T13:19:25.528Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:11.983

Modified: 2026-04-22T21:26:58.303

Link: CVE-2025-68554

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:15:09Z

Weaknesses