Impact
This vulnerability allows a subscriber to upload an arbitrary file through the Kids Gift Shop WordPress theme’s upload interface. The flaw enables an attacker to place malicious files on the server, potentially leading to full remote code execution and compromising the affected website’s confidentiality, integrity, and availability. The associated weakness is identified as CWE-434, reflecting a lack of proper file type validation.
Affected Systems
The issue affects all installations of the Kids Gift Shop theme from themagnifico52 with version 0.5.4 or earlier. The only known fixed release is version 0.5.5, which removes the insecure upload capability.
Risk and Exploitability
With a CVSS score of 9.9, the risk is considered very high. The EPSS score is not available, but the lack of CISA KEV listing does not diminish the urgency, as the flaw permits unauthenticated or minimal-privilege attackers to exploit the uploading mechanism. The attack likely proceeds via the web interface and can be triggered by any user with subscriber-level permissions.
OpenCVE Enrichment