Themify Shopo CVE-2025-31048
CRITICALSeverity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type vulnerability in Themify Shopo allows Upload a Web Shell to a Web Server.This issue affects Shopo: from n/a through 1.1.4.
AnalysisAI
Themify Shopo WordPress theme (through 1.1.4) allows authenticated users to upload web shells. Despite requiring low-level authentication, the scope change to CVSS 9.9 means any subscriber account can achieve full server compromise.
Technical ContextAI
The theme does not validate uploaded file types (CWE-434), allowing any authenticated user (including subscribers with minimal WordPress privileges) to upload PHP web shells. The scope change indicates code execution beyond the WordPress application boundary.
Affected ProductsAI
Themify Shopo WordPress theme through 1.1.4
RemediationAI
Update or remove the Shopo theme. Disable user registration if not needed. Implement server-level file upload restrictions (block .php uploads in wp-content/uploads).
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today