Impact
The Webenvo theme contains a flaw that permits the upload of arbitrary files through its file‑upload interface. An attacker who can exercise this upload routine can place malicious code onto the server, potentially executing it with the privileges of the web application and thereby compromising the entire site.
Affected Systems
All WordPress installations that use the Webenvo theme version 0.0.6 or older are affected. The vendor responsible for the theme is A WP Life. Administrators should verify that they are running a version later than 0.0.6.
Risk and Exploitability
This flaw has a CVSS score of 9.9, indicating a very high severity. No EPSS data is currently available, but the absence of a CISA KEV listing does not lessen the risk. Attackers can most likely exploit the vulnerability through the theme’s upload functionality, which is accessible to authenticated subscribers; therefore, the attack ability requires a valid user session but is independent of higher privilege escalation.
OpenCVE Enrichment