Description
Subscriber Arbitrary File Upload in Restaurant Zone <= 0.7.8 versions.
Published: 2026-06-17
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to upload arbitrary files to the Restaurant Zone theme up to version 0.7.8. This flaw, classified as CWE‑434, can permit the execution of malicious code on the WordPress site, potentially compromising the entire server. The impact extends to confidentiality, integrity, and availability of the affected infrastructure if successful exploitation occurs.

Affected Systems

The issue affects installations of the Restaurant Zone theme developed by themagnifico52 for WordPress where the version is 0.7.8 or lower. Updating to 0.7.9 or later removes the upload functionality flaw. No other products or versions are listed as affected.

Risk and Exploitability

The CVSS score of 9.9 indicates an extremely high severity, and the vulnerability is not currently listed in the CISA KEV catalog. Because the EPSS score is not available, the exact exploitation probability cannot be determined, but the flaw is actionable for any user who can reach the upload interface. The attack vector is likely a web-based file upload by a subscriber or potentially unauthenticated user, depending on site configuration. Given the nature of the flaw, if the uploaded file is executable code, an attacker can run arbitrary commands on the server, leading to full site compromise.

Generated by OpenCVE AI on June 18, 2026 at 12:15 UTC.

Remediation

Vendor Solution

Update the WordPress Restaurant Zone Theme to the latest available version (at least 0.7.9).


OpenCVE Recommended Actions

  • Update the Restaurant Zone theme to version 0.7.9 or later.
  • Restrict access to the file‑upload feature to trusted administrative users or disable it entirely if not required.
  • Ensure strict MIME type validation and disallow execution of uploaded files by configuring the web server or WordPress settings.

Generated by OpenCVE AI on June 18, 2026 at 12:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Themagnifico52
Themagnifico52 restaurant Zone
Wordpress
Wordpress wordpress
Vendors & Products Themagnifico52
Themagnifico52 restaurant Zone
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Subscriber Arbitrary File Upload in Restaurant Zone <= 0.7.8 versions.
Title WordPress Restaurant Zone theme <= 0.7.8 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Themagnifico52 Restaurant Zone
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:29:02.536Z

Reserved: 2026-04-15T09:19:38.195Z

Link: CVE-2026-40746

cve-icon Vulnrichment

Updated: 2026-06-17T15:28:55.777Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:04:16Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type