Description
Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Miion miion allows Upload a Web Shell to a Web Server.This issue affects Miion: from n/a through <= 1.2.7.
Published: 2026-01-22
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unrestricted upload of arbitrary files can be performed by any user with upload privileges. Uploaded files are not validated for type or content, enabling an attacker to place a web shell onto the server. Once the shell is present, the attacker can execute arbitrary code with the web server's user rights, leading to full system compromise. The weakness corresponds to CWE‑434, which signals a lack of validation for uploaded data.

Affected Systems

The vulnerability affects the Miion theme from zozothemes, with all releases from the initial launch through version 1.2.7. Specifically any installation of Miion version 1.2.7 or older is potentially exploitable.

Risk and Exploitability

The CVSS score of 9.9 indicates a critical severity, while the EPSS score of less than 1% suggests a low probability of widespread exploitation at this time. The vulnerability is not currently listed in CISA’s KEV catalog, but the possibility of deploying a web shell remains high. The likely attack vector is through the web interface of the WordPress site, where a malicious actor uploads a valid‑looking file that contains executable code.

Generated by OpenCVE AI on April 29, 2026 at 10:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Miion theme to the latest version (any release newer than 1.2.7).
  • If an upgrade is not immediately possible, restrict file uploads to trusted administrators only and configure the system to accept only image files, discarding all other MIME types.
  • Apply a Web Application Firewall or server‑side rule set that blocks execution of files in the upload directory and filters known web shell patterns.

Generated by OpenCVE AI on April 29, 2026 at 10:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 28 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Miion miion allows Upload a Web Shell to a Web Server.This issue affects Miion: from n/a through <= 1.2.7.
Title WordPress Miion theme <= 1.2.7 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:13:10.222Z

Reserved: 2025-12-29T11:18:04.294Z

Link: CVE-2025-68986

cve-icon Vulnrichment

Updated: 2026-01-28T16:42:21.599Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:15.483

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68986

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:00:10Z

Weaknesses