Description
Unrestricted Upload of File with Dangerous Type vulnerability in ThemeGoods Photography allows Path Traversal.This issue affects Photography: from n/a before 7.7.6.
Published: 2026-03-19
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Upload leading to potential remote code execution
Action: Patch
AI Analysis

Impact

The Photography theme’s upload functionality permits files of any type to be uploaded without proper validation. This unrestricted upload coupled with path traversal allows an attacker to place malicious files on the server. If such files are executable, the attacker could achieve remote code execution, compromising the entire site. This vulnerability exemplifies invalid input handling (CWE‑434).

Affected Systems

ThemeGoods Photography WordPress theme versions earlier than 7.7.6 are affected. Any WordPress site using those releases is exposed to the described risk.

Risk and Exploitability

The CVSS score of 7.2 classifies the flaw as high severity. The EPSS score is below 1 %, indicating that exploitation is currently uncommon, and the vulnerability is not listed in the national Known Exploited Vulnerabilities catalog. Based on the description, the likely attack vector is the theme’s web‑based file upload form; an attacker would submit a crafted file that bypasses type checks and uses path traversal to place it on the server where it could be executed.

Generated by OpenCVE AI on April 28, 2026 at 22:12 UTC.

Remediation

Vendor Solution

Update the WordPress Photography theme to the latest available version (at least 7.7.6).

OpenCVE Recommended Actions

  • Upgrade the Photography theme to version 7.7.6 or later.
  • Immediately delete or quarantine all uploaded files added before the upgrade, as they may contain malware.
  • While the upgrade is pending, disable the theme’s file upload feature or enforce strict file‑type restrictions and implement filesystem permissions or server rules that prevent execution of uploaded files.

Generated by OpenCVE AI on April 28, 2026 at 22:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in ThemeGoods Photography photography allows Path Traversal.This issue affects Photography: from n/a through < 7.7.6. Unrestricted Upload of File with Dangerous Type vulnerability in ThemeGoods Photography allows Path Traversal.This issue affects Photography: from n/a before 7.7.6.
References

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in ThemeGoods Photography allows Path Traversal.This issue affects Photography: from n/a before 7.7.6. Unrestricted Upload of File with Dangerous Type vulnerability in ThemeGoods Photography photography allows Path Traversal.This issue affects Photography: from n/a through < 7.7.6.
References

Tue, 07 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
References

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in ThemeGoods Photography photography allows Path Traversal.This issue affects Photography: from n/a through <= 7.7.5. Unrestricted Upload of File with Dangerous Type vulnerability in ThemeGoods Photography allows Path Traversal.This issue affects Photography: from n/a before 7.7.6.
Title WordPress Photography theme <= 7.7.5 - Arbitrary File Upload vulnerability WordPress Photography theme < 7.7.6 - Arbitrary File Upload vulnerability
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in ThemeGoods Photography allows Path Traversal.This issue affects Photography: from n/a through 7.7.5. Unrestricted Upload of File with Dangerous Type vulnerability in ThemeGoods Photography photography allows Path Traversal.This issue affects Photography: from n/a through <= 7.7.5.
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Themegoods
Themegoods photography
Wordpress
Wordpress wordpress
Vendors & Products Themegoods
Themegoods photography
Wordpress
Wordpress wordpress

Thu, 19 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in ThemeGoods Photography allows Path Traversal.This issue affects Photography: from n/a through 7.7.5.
Title WordPress Photography theme <= 7.7.5 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Themegoods Photography
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:59.730Z

Reserved: 2026-02-17T13:23:18.876Z

Link: CVE-2026-27043

cve-icon Vulnrichment

Updated: 2026-03-19T15:07:49.390Z

cve-icon NVD

Status : Deferred

Published: 2026-03-19T15:16:24.083

Modified: 2026-04-28T19:37:11.433

Link: CVE-2026-27043

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T22:15:41Z

Weaknesses