Impact
In WordPress Ecommerce Zone Theme versions 0.9.7 and earlier, the theme fails to validate uploaded files properly, enabling an attacker to place arbitrary files on the server. This flaw falls under CWE‑434 and allows compromised files, such as malicious scripts, to be uploaded. Should the server execute a malicious file, the attacker can gain full control of the affected WordPress installation.
Affected Systems
The vulnerability affects the Ecommerce Zone WordPress theme, distributed by themagnifico52. Any site running version 0.9.7 or older is susceptible.
Risk and Exploitability
The flaw carries a CVSS score of 9.9, indicating extreme severity. EPSS data is not available and the issue is not listed in the CISA KEV catalog. While the description does not specify authentication requirements, it is inferred that the vulnerable upload interface is reachable through normal theme functionality; therefore an unauthenticated attacker could potentially exploit it if the upload endpoint is publicly accessible. Successful exploitation would allow the attacker to deliver and execute arbitrary code on the server, leading to a complete compromise of confidentiality, integrity, and availability of the site.
OpenCVE Enrichment