CVE-2026-1555

| EUVD-2026-22830 CRITICAL
2026-04-15 Wordfence
WordPress RCE File Upload Webstack
9.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Apr 15, 2026 - 04:06 vuln.today

DescriptionNVD

The WebStack theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the io_img_upload() function in all versions up to, and including, 1.2024. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

AnalysisAI

Unrestricted file upload in WebStack WordPress theme allows unauthenticated remote code execution. The io_img_upload() function in all versions through 1.2024 lacks file type validation, enabling unauthenticated attackers to upload malicious files (e.g., PHP shells) directly to the server. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

24 hours: Identify all WordPress installations using WebStack theme versions 1.2024 or earlier and disable the affected io_img_upload() function or remove the theme entirely if not essential. 7 days: If WebStack theme removal is not feasible, implement web application firewall (WAF) rules to block file upload requests to the vulnerable upload endpoint and restrict file upload directories from executing PHP code. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-1555 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy