Skip to main content

Themify Shopo CVE-2025-31048

CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-01-05 audit@patchstack.com
File Upload
9.9
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 05, 2026 - 11:17 nvd
CRITICAL 9.9

DescriptionNVD

Unrestricted Upload of File with Dangerous Type vulnerability in Themify Shopo allows Upload a Web Shell to a Web Server.This issue affects Shopo: from n/a through 1.1.4.

AnalysisAI

Themify Shopo WordPress theme (through 1.1.4) allows authenticated users to upload web shells. Despite requiring low-level authentication, the scope change to CVSS 9.9 means any subscriber account can achieve full server compromise.

Technical ContextAI

The theme does not validate uploaded file types (CWE-434), allowing any authenticated user (including subscribers with minimal WordPress privileges) to upload PHP web shells. The scope change indicates code execution beyond the WordPress application boundary.

Affected ProductsAI

Themify Shopo WordPress theme through 1.1.4

RemediationAI

Update or remove the Shopo theme. Disable user registration if not needed. Implement server-level file upload restrictions (block .php uploads in wp-content/uploads).

Share

CVE-2025-31048 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy