Impact
The Charity Zone WordPress theme contains an arbitrary file upload flaw that permits the submission of files without adequate validation. Because the upload endpoint accepts any MIME type and does not enforce restrictions, an attacker could upload a file that contains executable code such as a PHP script. While the CVE description does not explicitly confirm that uploaded code will be executed, the ability to place a script on the server typically allows execution when accessed through the web interface. This inference is drawn from the nature of the vulnerability and common web application behavior. The consequence of successful execution could be full compromise of the site, including data theft, defacement, or further exploitation of the underlying server.
Affected Systems
All WordPress installations that use the Charity Zone theme version 1.1.1 or earlier (by the author themagnifico52) are affected. Any site running these legacy versions faces the same risk through the theme’s file upload feature.
Risk and Exploitability
The CVSS score of 9.9 indicates a critical risk level, and the vulnerability is exploitable remotely via the web interface, requiring only the capability to submit an upload request. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that it has not yet been widely leveraged in the wild. Nonetheless, because no file type validation exists, the source code allows an attacker to upload arbitrary files, a high likelihood condition that threat actors could exploit if discovered.
OpenCVE Enrichment