Description
Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Nutrie nutrie allows Upload a Web Shell to a Web Server.This issue affects Nutrie: from n/a through < 2.0.1.
Published: 2026-03-05
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an attacker to upload files to the WordPress web server without restriction. The upload mechanism accepts dangerous file types, enabling the injection of a web shell or other executable code. An attacker that can upload a shell can then execute arbitrary commands on the server, compromising confidentiality, integrity, and availability of the hosting environment.

Affected Systems

The flaw exists in the Nutrie theme distributed by zozothemes. Any installation using a version older than 2.0.1 is affected. Versions from n/a through all versions less than 2.0.1 are vulnerable.

Risk and Exploitability

The CVSS score of 9.9 reflects a high risk for remote code execution. The EPSS score is under 1 %, indicating low current exploitation activity, but the lack of presence in CISA KEV does not diminish the potential impact. The attack vector is inferred to be through the theme’s file upload interface accessible to authenticated WordPress administrators or users with upload privileges. Successful exploitation does not require network‑level access and can be executed by anyone who can reach the governance interface of the vulnerable WordPress installation.

Generated by OpenCVE AI on April 29, 2026 at 11:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Nutrie theme to version 2.0.1 or later, which contains the official fix.
  • If upgrading is not immediately possible, disable or remove the theme’s file‑upload functionality by editing theme files or using a security plugin that blocks arbitrary uploads.
  • Implement file‑type validation and whitelist only safe media extensions for all upload endpoints, and consider using a web application firewall to reject suspicious content.

Generated by OpenCVE AI on April 29, 2026 at 11:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Zozothemes
Zozothemes nutrie
Vendors & Products Wordpress
Wordpress wordpress
Zozothemes
Zozothemes nutrie

Thu, 05 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Nutrie nutrie allows Upload a Web Shell to a Web Server.This issue affects Nutrie: from n/a through < 2.0.1.
Title WordPress Nutrie theme < 2.0.1 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References

Subscriptions

Wordpress Wordpress
Zozothemes Nutrie
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:02:04.337Z

Reserved: 2025-12-19T10:17:23.836Z

Link: CVE-2025-68555

cve-icon Vulnrichment

Updated: 2026-03-05T15:13:17.669Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:12.120

Modified: 2026-04-22T21:26:58.303

Link: CVE-2025-68555

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:15:09Z

Weaknesses