Description
Subscriber Arbitrary File Upload in Webenvo <= 0.0.6 versions.
Published: 2026-06-17
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Webenvo theme contains a flaw that permits the upload of arbitrary files through its file‑upload interface. An attacker who can exercise this upload routine can place malicious code onto the server, potentially executing it with the privileges of the web application and thereby compromising the entire site.

Affected Systems

All WordPress installations that use the Webenvo theme version 0.0.6 or older are affected. The vendor responsible for the theme is A WP Life. Administrators should verify that they are running a version later than 0.0.6.

Risk and Exploitability

This flaw has a CVSS score of 9.9, indicating a very high severity. No EPSS data is currently available, but the absence of a CISA KEV listing does not lessen the risk. Attackers can most likely exploit the vulnerability through the theme’s upload functionality, which is accessible to authenticated subscribers; therefore, the attack ability requires a valid user session but is independent of higher privilege escalation.

Generated by OpenCVE AI on June 18, 2026 at 12:18 UTC.

Remediation

Vendor Solution

Update the WordPress Webenvo Theme to the latest available version (at least 0.0.7).


OpenCVE Recommended Actions

  • Upgrade the Webenvo theme to version 0.0.7 or newer.
  • If an upgrade cannot be performed immediately, disable or restrict the theme’s file‑upload feature for all users and enforce a whitelist that allows only safe image types with strict MIME type validation.
  • Monitor server logs for unauthorized or anomalous file‑upload attempts, and block repeating offenders immediately.

Generated by OpenCVE AI on June 18, 2026 at 12:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared A Wp Life
A Wp Life webenvo
Wordpress
Wordpress wordpress
Vendors & Products A Wp Life
A Wp Life webenvo
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Subscriber Arbitrary File Upload in Webenvo <= 0.0.6 versions.
Title WordPress Webenvo theme <= 0.0.6 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

A Wp Life Webenvo
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T12:35:13.069Z

Reserved: 2026-04-07T10:48:44.714Z

Link: CVE-2026-39589

cve-icon Vulnrichment

Updated: 2026-06-17T12:34:47.303Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:04:23Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type