Skip to main content

Restaurt Theme CVE-2026-22327

| EUVDEUVD-2026-37650 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-06-17 Patchstack
9.9
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Network-reachable WordPress endpoint (AV:N/AC:L), Subscriber auth required (PR:L), no admin interaction (UI:N), and arbitrary PHP upload escapes the theme sandbox to compromise the host (S:C, C/I/A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:35 vuln.today

DescriptionCVE.org

Subscriber Arbitrary File Upload in Restaurt <= 1.0.4 versions.

AnalysisAI

Arbitrary file upload in the Restaurt WordPress theme versions 1.0.4 and earlier allows authenticated users with Subscriber-level privileges to upload arbitrary files, potentially leading to remote code execution on the WordPress host. The CVSS 9.9 score reflects scope-changed impact across confidentiality, integrity, and availability, though no public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.

Technical ContextAI

Restaurt is a commercial WordPress theme developed by ZozoThemes (CPE cpe:2.3:a:zozothemes:restaurt) and typically deployed on restaurant/hospitality sites. The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type), meaning the theme exposes an upload handler that does not adequately validate file extension, MIME type, or content before writing to the WordPress uploads directory. Because WordPress Subscriber is the lowest authenticated role (intended for commenters), upload functionality should never be reachable to it - the flaw most likely lies in an AJAX endpoint or REST route registered by the theme that lacks a proper capability check (e.g., missing current_user_can() or relying solely on a nonce).

RemediationAI

No vendor-released patch identified at time of analysis - the Patchstack advisory documents the flaw in versions ≤1.0.4 but the provided data does not name a fixed release; site operators should check ZozoThemes for an updated Restaurt version newer than 1.0.4 and apply it, monitoring the advisory at https://patchstack.com/database/wordpress/theme/restaurt/vulnerability/wordpress-restaurt-theme-1-0-4-arbitrary-file-upload-vulnerability for fix confirmation. As compensating controls until a patch is confirmed, disable open user registration in WordPress (Settings → General → uncheck 'Anyone can register') which removes the primary path to acquiring the Subscriber role, deploy a virtual patch via Patchstack/Wordfence WAF rules targeting the vulnerable upload endpoint, and add a web-server rule denying execution of PHP files within wp-content/uploads (trade-off: breaks any legitimate plugin that intentionally serves PHP from uploads, which is rare).

Share

CVE-2026-22327 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy