Description
Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes Blogzee blogzee allows Using Malicious Files.This issue affects Blogzee: from n/a through <= 1.0.5.
Published: 2026-01-22
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Blogzee theme for WordPress contains an unrestricted upload flaw that fails to validate or filter file types, allowing an attacker to upload files with dangerous extensions or content. This defect can be leveraged to place malicious payloads – such as PHP backdoors – onto the web server, resulting in full compromise of the application and potentially the underlying host. The weakness is formally categorized as CWE‑434, which signifies an unfiltered file upload that permits the execution of arbitrary code.

Affected Systems

All installations of the Blogzee theme version 1.0.5 or earlier are affected. The theme is distributed by blazethemes and is used on any WordPress site that has not applied an update beyond 1.0.5. No specific sub‑versions are listed beyond the maximum limit of 1.0.5, so any instance older than that threshold remains vulnerable.

Risk and Exploitability

The score of 9.9 on the standard CVSS indicates a high severity vulnerability that provides remote attackers with potential to execute code. However, the EPSS score of less than 1% suggests that, in the general population of WordPress sites, exploitation attempts are currently rare. The vulnerability is not present in the CISA KEV catalog, meaning no confirmed widespread exploitation reports are known. Attackers would need only to access the file upload mechanism – typically a publicly reachable form – to supply a malicious file, making it a straightforward path for exploitation if the site allows unauthenticated users or poorly privileged users to upload content.

Generated by OpenCVE AI on April 29, 2026 at 10:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Blogzee theme to the latest supported version or any version newer than 1.0.5 that removes the upload flaw
  • Replace or remove the Blogzee theme if it is not required for the site’s functionality
  • Implement or enforce strict file type validation on the server or via a web application firewall to block the upload of disallowed or dangerous files

Generated by OpenCVE AI on April 29, 2026 at 10:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 28 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Tue, 27 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes Blogzee blogzee allows Using Malicious Files.This issue affects Blogzee: from n/a through <= 1.0.5.
Title WordPress Blogzee theme <= 1.0.5 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:08:46.896Z

Reserved: 2025-12-24T14:00:54.032Z

Link: CVE-2025-68910

cve-icon Vulnrichment

Updated: 2026-01-27T20:48:43.937Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:14.990

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68910

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:00:10Z

Weaknesses