Skip to main content

ThemeGoods Photography CVE-2026-27043

HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-03-19 audit@patchstack.com
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
Analysis Generated
Mar 20, 2026 - 13:52 vuln.today
CVE Published
Mar 19, 2026 - 15:16 nvd
HIGH 7.2

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type vulnerability in ThemeGoods Photography allows Path Traversal.This issue affects Photography: from n/a through 7.7.5.

AnalysisAI

The ThemeGoods Photography WordPress theme through version 7.7.5 permits authenticated administrators to upload arbitrary files with path traversal capabilities, enabling remote code execution and complete site compromise. While the CVSS score of 7.2 indicates high severity, the requirement for high-privileged admin credentials (PR:H) significantly constrains real-world exploitability. The EPSS score of 0.04% (12th percentile) suggests minimal likelihood of active exploitation, with no public exploit code identified at time of analysis.

Technical ContextAI

This vulnerability stems from CWE-434 (Unrestricted Upload of File with Dangerous Type) combined with path traversal (referenced in vulnerability description). The ThemeGoods Photography WordPress theme fails to properly validate uploaded file types and sanitize file paths during the upload process. This dual weakness allows attackers to bypass intended upload restrictions and write files to arbitrary filesystem locations outside the designated upload directory. When combined, these flaws enable placement of malicious PHP files in web-accessible directories, leading to remote code execution. The vulnerability affects the Photography theme for WordPress, a commercial premium theme distributed by ThemeGoods for photography portfolio websites.

Affected ProductsAI

ThemeGoods Photography theme for WordPress versions from an unspecified starting point through version 7.7.5 are confirmed vulnerable. The vulnerability was reported by audit@patchstack.com and is documented in the Patchstack vulnerability database. Detailed technical information is available at https://patchstack.com/database/wordpress/theme/photography/vulnerability/wordpress-photography-theme-7-7-5-arbitrary-file-upload-vulnerability?_s_id=cve and advisory tracking is maintained at https://vuldb.com/?id.351722. No CPE strings were provided in the available intelligence data for this vulnerability.

RemediationAI

Upgrade the ThemeGoods Photography theme to a version newer than 7.7.5 that addresses this vulnerability. Consult the vendor advisory at https://patchstack.com/database/wordpress/theme/photography/vulnerability/wordpress-photography-theme-7-7-5-arbitrary-file-upload-vulnerability?_s_id=cve for the specific patched release version and update instructions. Until patching is completed, implement defense-in-depth measures including: restrict WordPress administrator access to only essential personnel with multi-factor authentication enforced, monitor file upload activity and review uploaded files for suspicious PHP or executable content, implement web application firewall rules to block path traversal patterns in upload requests, and conduct a forensic review of existing uploaded files to identify potential backdoors if administrator accounts may have been compromised during the vulnerability window.

Share

CVE-2026-27043 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy