Description
Unrestricted Upload of File with Dangerous Type vulnerability in deothemes Ona ona allows Upload a Web Shell to a Web Server.This issue affects Ona: from n/a through < 1.24.
Published: 2026-03-25
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution
Action: Immediate patch
AI Analysis

Impact

The vulnerability allows an attacker to upload arbitrary files, including web shells, via the Ona theme's upload interface. Based on the description, it is inferred that uploading a web shell could enable execution of arbitrary code with the web server's privileges, potentially leading to compromise of the WordPress site, depending on available upload permissions.

Affected Systems

The issue affects installations of the deothemes Ona WordPress theme with any version earlier than 1.24, from the earliest available release up to, but not including, 1.24.

Risk and Exploitability

The CVSS score of 9.9 indicates a critical severity. The EPSS score is less than 1%, suggesting low current exploitation prevalence. Since the vulnerability is not listed in the CISA KEV catalog, there is no known active exploitation campaigns. The attack vector is likely via the theme's file upload interface, which may require an authenticated user with upload rights. The exploitation path is straightforward: upload a malicious file and leverage it to execute code. The high severity and potential for remote code execution make this a high priority risk for any affected WordPress site.

Generated by OpenCVE AI on March 26, 2026 at 22:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Ona theme to version 1.24 or later.

Generated by OpenCVE AI on March 26, 2026 at 22:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Deothemes
Deothemes ona
Wordpress
Wordpress wordpress
Vendors & Products Deothemes
Deothemes ona
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in deothemes Ona ona allows Upload a Web Shell to a Web Server.This issue affects Ona: from n/a through < 1.24.
Title WordPress Ona theme < 1.24 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References

Subscriptions

Deothemes Ona
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T19:43:18.103Z

Reserved: 2026-03-12T11:11:55.347Z

Link: CVE-2026-32482

cve-icon Vulnrichment

Updated: 2026-03-26T19:42:07.596Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:59.183

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-32482

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:31:13Z

Weaknesses