Description
Subscriber Arbitrary File Upload in Ecommerce Zone <= 0.9.7 versions.
Published: 2026-06-17
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In WordPress Ecommerce Zone Theme versions 0.9.7 and earlier, the theme fails to validate uploaded files properly, enabling an attacker to place arbitrary files on the server. This flaw falls under CWE‑434 and allows compromised files, such as malicious scripts, to be uploaded. Should the server execute a malicious file, the attacker can gain full control of the affected WordPress installation.

Affected Systems

The vulnerability affects the Ecommerce Zone WordPress theme, distributed by themagnifico52. Any site running version 0.9.7 or older is susceptible.

Risk and Exploitability

The flaw carries a CVSS score of 9.9, indicating extreme severity. EPSS data is not available and the issue is not listed in the CISA KEV catalog. While the description does not specify authentication requirements, it is inferred that the vulnerable upload interface is reachable through normal theme functionality; therefore an unauthenticated attacker could potentially exploit it if the upload endpoint is publicly accessible. Successful exploitation would allow the attacker to deliver and execute arbitrary code on the server, leading to a complete compromise of confidentiality, integrity, and availability of the site.

Generated by OpenCVE AI on June 18, 2026 at 12:15 UTC.

Remediation

Vendor Solution

Update the WordPress Ecommerce Zone Theme to the latest available version (at least 0.9.8).


OpenCVE Recommended Actions

  • Update the WordPress Ecommerce Zone Theme to version 0.9.8 or later, as released by the vendor.
  • If an immediate update is not possible, disable or restrict the theme’s file upload feature until the patch is applied.
  • Configure the web server to reject uploaded files that are not expected by the theme and enforce strict MIME‑type validation to mitigate the risk of future file upload abuses.

Generated by OpenCVE AI on June 18, 2026 at 12:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Themagnifico52
Themagnifico52 ecommerce Zone
Wordpress
Wordpress wordpress
Vendors & Products Themagnifico52
Themagnifico52 ecommerce Zone
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Subscriber Arbitrary File Upload in Ecommerce Zone <= 0.9.7 versions.
Title WordPress Ecommerce Zone theme <= 0.9.7 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Themagnifico52 Ecommerce Zone
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T12:33:26.049Z

Reserved: 2026-04-15T09:19:38.195Z

Link: CVE-2026-40747

cve-icon Vulnrichment

Updated: 2026-06-17T12:33:20.183Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:04:14Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type