Description
Subscriber Arbitrary File Upload in Charity Zone <= 1.1.1 versions.
Published: 2026-06-17
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Charity Zone WordPress theme contains an arbitrary file upload flaw that permits the submission of files without adequate validation. Because the upload endpoint accepts any MIME type and does not enforce restrictions, an attacker could upload a file that contains executable code such as a PHP script. While the CVE description does not explicitly confirm that uploaded code will be executed, the ability to place a script on the server typically allows execution when accessed through the web interface. This inference is drawn from the nature of the vulnerability and common web application behavior. The consequence of successful execution could be full compromise of the site, including data theft, defacement, or further exploitation of the underlying server.

Affected Systems

All WordPress installations that use the Charity Zone theme version 1.1.1 or earlier (by the author themagnifico52) are affected. Any site running these legacy versions faces the same risk through the theme’s file upload feature.

Risk and Exploitability

The CVSS score of 9.9 indicates a critical risk level, and the vulnerability is exploitable remotely via the web interface, requiring only the capability to submit an upload request. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that it has not yet been widely leveraged in the wild. Nonetheless, because no file type validation exists, the source code allows an attacker to upload arbitrary files, a high likelihood condition that threat actors could exploit if discovered.

Generated by OpenCVE AI on June 18, 2026 at 14:04 UTC.

Remediation

Vendor Solution

Update the WordPress Charity Zone Theme to the latest available version (at least 1.1.2).


OpenCVE Recommended Actions

  • Update the Charity Zone theme to version 1.1.2 or newer as issued by the vendor.
  • If an upgrade is not possible, disable or remove the theme’s upload feature or restrict accepted file types to safe media formats such as images.
  • After applying the fix, scan any existing uploaded files for suspicious or executable content and delete or quarantine any that appear malicious.

Generated by OpenCVE AI on June 18, 2026 at 14:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Themagnifico52
Themagnifico52 charity Zone
Wordpress
Wordpress wordpress
Vendors & Products Themagnifico52
Themagnifico52 charity Zone
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Subscriber Arbitrary File Upload in Charity Zone <= 1.1.1 versions.
Title WordPress Charity Zone theme <= 1.1.1 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Themagnifico52 Charity Zone
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T12:32:07.360Z

Reserved: 2026-04-15T09:19:38.195Z

Link: CVE-2026-40749

cve-icon Vulnrichment

Updated: 2026-06-17T12:32:03.006Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:04:11Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type