EUVD-2025-28281CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
Unrestricted Upload of File with Dangerous Type vulnerability in NasaTheme Flozen allows Upload a Web Shell to a Web Server. This issue affects Flozen: from n/a through n/a.
Analysis
Critical unrestricted file upload vulnerability in NasaTheme Flozen that allows unauthenticated remote attackers to upload and execute web shells on affected servers. This vulnerability affects all versions of Flozen and carries a CVSS score of 10.0 with no authentication or user interaction required. If actively exploited (KEV status pending verification), attackers can achieve complete system compromise including confidentiality breach, integrity violation, and availability disruption.
Technical Context
This vulnerability exploits CWE-434 (Unrestricted Upload of File with Dangerous Type), a fundamental file upload validation flaw in the NasaTheme Flozen platform. The vulnerable component likely resides in the file upload handler that fails to properly validate file types, extensions, MIME types, or content before storing uploaded files in a web-accessible directory. The Flozen theme (likely a WordPress or similar CMS theme) lacks server-side validation to restrict dangerous file types (e.g., .php, .phtml, .jsp, .asp). An attacker can bypass client-side restrictions and upload executable code (web shell) to a location where the web server will interpret and execute it as code rather than serve it as static content. This is compounded by the global CVSS vector (S:C) indicating the impact extends beyond the vulnerable component to the entire system.
Affected Products
Product: NasaTheme Flozen; Affected Versions: All versions (specific version range listed as 'n/a through n/a' in CVE description, indicating incomplete vendor disclosure or widespread affection). CPE identifier would likely be: cpe:2.3:a:nasatheme:flozen:*:*:*:*:*:*:*:* (awaiting official CPE assignment). The vulnerability affects Flozen installations on web servers running PHP or similar server-side scripting interpreters. Likely affected deployment contexts include WordPress with Flozen theme, or standalone Flozen CMS installations on shared or dedicated hosting with Apache/Nginx + PHP.
Remediation
Immediate Actions: (1) Contact NasaTheme for available security patches immediately; vendor advisory/patch URL pending from official sources. (2) If patches unavailable, implement emergency server-side mitigation: disable file upload functionality or restrict uploads to non-executable directories with explicit no-execute (.htaccess or nginx rules). (3) Implement strict file type validation on server-side: whitelist allowed extensions (.jpg, .png, .pdf only), validate MIME types, and scan uploaded content with antivirus/YARA rules. (4) Move upload directory outside web root or disable script execution in upload directory via .htaccess (AddType text/plain .php .phtml .jsp .asp) or nginx configuration (disable php-fpm for uploads directory). (5) Audit server logs and uploaded files for evidence of exploitation; remove any suspicious .php or executable files. (6) Implement Web Application Firewall (WAF) rules to block POST requests with suspicious payloads to upload endpoints. (7) Monitor Flozen GitHub repository and NasaTheme advisory channels for patch release; apply immediately upon availability.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today