Impact
The Zozothemes Zegen theme for WordPress contains an Arbitrary File Upload flaw (CWE‑434). Administrators or users with subscriber privileges can upload any file type to the server without restriction. If a malicious file such as a PHP backdoor is uploaded, the attacker can execute code on the web host and compromise the site’s confidentiality, integrity, and availability.
Affected Systems
All WordPress sites that have installed Zegen theme version 1.1.9 or earlier are affected. The issue is confined to the Zegen theme and does not impact core WordPress or other plugins. Site owners should verify the theme version and apply the fix if they are running an affected build.
Risk and Exploitability
The CVSS base score of 9.9 indicates critical severity, while the lack of an EPSS score means the current exploitation probability is unknown, although the vulnerability was not flagged in the CISA KEV catalog. The flaw can be triggered through the theme’s upload endpoint that is accessible to any WordPress subscriber, so an attacker with basic subscriber-level access can launch an attack. This high‑risk exposure permits remote code execution if a malicious file is stored and triggered, potentially leading to a total site compromise.
OpenCVE Enrichment