Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type vulnerability in deothemes Ona ona allows Upload a Web Shell to a Web Server.This issue affects Ona: from n/a through < 1.24.
AnalysisAI
An unrestricted file upload vulnerability exists in the deothemes Ona WordPress theme that allows attackers to upload web shells to affected servers. All versions of Ona prior to 1.24 are vulnerable, enabling remote code execution through malicious file uploads. This vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and represents a critical risk for any WordPress installation using the affected theme versions.
Technical ContextAI
The vulnerability resides in the deothemes Ona WordPress theme (CPE: cpe:2.3:a:deothemes:ona:*:*:*:*:*:*:*:*), which fails to properly validate and restrict file uploads during the file upload process. CWE-434, the root cause classification, describes cases where an application accepts files from users without sufficiently validating the file type, content, or destination path. In WordPress themes, this typically occurs when upload handlers lack proper MIME type validation, extension whitelisting, or destination directory controls. Attackers exploit this by crafting malicious files (such as PHP web shells) that bypass client-side or insufficient server-side validation, resulting in executable code being stored in web-accessible directories.
RemediationAI
Immediately upgrade the deothemes Ona theme to version 1.24 or later, which contains the patch for this file upload vulnerability. Site administrators should access the WordPress theme management interface, deactivate the affected Ona theme, upgrade to the patched version, and reactivate it. Until patching is completed, implement server-side file upload restrictions by adding rules to the web server configuration (Apache/Nginx) to deny execution of scripts in the uploads directory, restrict uploads to a whitelist of safe file extensions (JPEG, PNG, PDF only), and ensure the uploads directory is not executable. Additionally, review upload logs for any suspicious PHP, JSP, or executable files that may have been uploaded during the vulnerability window, and consider running a WordPress security scanner to detect injected web shells.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15823
GHSA-8x7j-66jm-5vq5