Impact
Unrestricted upload of files with dangerous types in the Kids Online Store theme exposes the web server to the installation of malicious files, including potential web shells that grant an attacker full remote control. The weakness is an input validation flaw permitting any file type to be accepted. If an attacker can place a web shell onto the server, the confidentiality, integrity, and availability of the site and its data can be entirely compromised.
Affected Systems
The vulnerability affects the WordPress Kids Online Store theme from the initial release through version 0.8.9. Only installations using these or earlier theme versions are at risk. The flaw is present in the theme's file upload functionality, which is typically accessed by administrators or users with theme editing privileges.
Risk and Exploitability
The CVSS score of 9.9 indicates a critical severity, while the EPSS score of <1% shows that exploit likelihood is currently low. The issue is not listed in CISA's KEV catalog. The attack vector is inferred to be a web-based file upload through the theme’s settings page, likely requiring a user with administrative or content‑management privileges. Given the high impact and the low probability of exploitation, the overall risk remains significant until the vulnerability is patched.
OpenCVE Enrichment