Description
Subscriber Arbitrary File Upload in Zegen <= 1.1.9 versions.
Published: 2026-07-02
Score: 9.9 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Zozothemes Zegen theme for WordPress contains an Arbitrary File Upload flaw (CWE‑434). Administrators or users with subscriber privileges can upload any file type to the server without restriction. If a malicious file such as a PHP backdoor is uploaded, the attacker can execute code on the web host and compromise the site’s confidentiality, integrity, and availability.

Affected Systems

All WordPress sites that have installed Zegen theme version 1.1.9 or earlier are affected. The issue is confined to the Zegen theme and does not impact core WordPress or other plugins. Site owners should verify the theme version and apply the fix if they are running an affected build.

Risk and Exploitability

The CVSS base score of 9.9 indicates critical severity, while the lack of an EPSS score means the current exploitation probability is unknown, although the vulnerability was not flagged in the CISA KEV catalog. The flaw can be triggered through the theme’s upload endpoint that is accessible to any WordPress subscriber, so an attacker with basic subscriber-level access can launch an attack. This high‑risk exposure permits remote code execution if a malicious file is stored and triggered, potentially leading to a total site compromise.

Generated by OpenCVE AI on July 2, 2026 at 17:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Zegen theme to a version newer than 1.1.9.
  • If an upgrade is not immediately possible, restrict file uploads to allowed MIME types that exclude executable files.
  • Block external requests to the theme's upload endpoint or enforce authentication so only authorized users can upload.
  • Monitor server logs for abnormal upload activity and any executed files.

Generated by OpenCVE AI on July 2, 2026 at 17:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Zozothemes
Zozothemes zegen
Vendors & Products Wordpress
Wordpress wordpress
Zozothemes
Zozothemes zegen

Thu, 02 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Subscriber Arbitrary File Upload in Zegen <= 1.1.9 versions.
Title WordPress Zegen theme <= 1.1.9 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Wordpress Wordpress
Zozothemes Zegen
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T12:12:11.625Z

Reserved: 2026-02-19T09:52:28.127Z

Link: CVE-2026-27419

cve-icon Vulnrichment

Updated: 2026-07-02T12:12:06.755Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T18:00:05Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type