Description
Subscriber Arbitrary File Upload in Kids Gift Shop <= 0.5.4 versions.
Published: 2026-06-17
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows a subscriber to upload an arbitrary file through the Kids Gift Shop WordPress theme’s upload interface. The flaw enables an attacker to place malicious files on the server, potentially leading to full remote code execution and compromising the affected website’s confidentiality, integrity, and availability. The associated weakness is identified as CWE-434, reflecting a lack of proper file type validation.

Affected Systems

The issue affects all installations of the Kids Gift Shop theme from themagnifico52 with version 0.5.4 or earlier. The only known fixed release is version 0.5.5, which removes the insecure upload capability.

Risk and Exploitability

With a CVSS score of 9.9, the risk is considered very high. The EPSS score is not available, but the lack of CISA KEV listing does not diminish the urgency, as the flaw permits unauthenticated or minimal-privilege attackers to exploit the uploading mechanism. The attack likely proceeds via the web interface and can be triggered by any user with subscriber-level permissions.

Generated by OpenCVE AI on June 18, 2026 at 12:15 UTC.

Remediation

Vendor Solution

Update the WordPress Kids Gift Shop Theme to the latest available version (at least 0.5.5).


OpenCVE Recommended Actions

  • Apply the latest patch by updating the Kids Gift Shop Theme to at least version 0.5.5
  • If an update cannot be performed immediately, disable or remove the upload feature from the child theme or use a security plugin to restrict upload types to a whitelist
  • Implement server‑side validation or file scanning to ensure only expected file formats are accepted and monitor upload logs for suspicious activity

Generated by OpenCVE AI on June 18, 2026 at 12:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Themagnifico52
Themagnifico52 kids Gift Shop
Wordpress
Wordpress wordpress
Vendors & Products Themagnifico52
Themagnifico52 kids Gift Shop
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Subscriber Arbitrary File Upload in Kids Gift Shop <= 0.5.4 versions.
Title WordPress Kids Gift Shop theme <= 0.5.4 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Themagnifico52 Kids Gift Shop
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:30:57.226Z

Reserved: 2026-04-15T09:19:38.195Z

Link: CVE-2026-40748

cve-icon Vulnrichment

Updated: 2026-06-17T13:36:32.485Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:04:13Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type