Skip to main content

Ona CVE-2026-32482

| EUVDEUVD-2026-15823 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-03-25 Patchstack GHSA-8x7j-66jm-5vq5
9.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 05:48 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.24
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15823
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
CRITICAL 9.9

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type vulnerability in deothemes Ona ona allows Upload a Web Shell to a Web Server.This issue affects Ona: from n/a through < 1.24.

AnalysisAI

An unrestricted file upload vulnerability exists in the deothemes Ona WordPress theme that allows attackers to upload web shells to affected servers. All versions of Ona prior to 1.24 are vulnerable, enabling remote code execution through malicious file uploads. This vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and represents a critical risk for any WordPress installation using the affected theme versions.

Technical ContextAI

The vulnerability resides in the deothemes Ona WordPress theme (CPE: cpe:2.3:a:deothemes:ona:*:*:*:*:*:*:*:*), which fails to properly validate and restrict file uploads during the file upload process. CWE-434, the root cause classification, describes cases where an application accepts files from users without sufficiently validating the file type, content, or destination path. In WordPress themes, this typically occurs when upload handlers lack proper MIME type validation, extension whitelisting, or destination directory controls. Attackers exploit this by crafting malicious files (such as PHP web shells) that bypass client-side or insufficient server-side validation, resulting in executable code being stored in web-accessible directories.

RemediationAI

Immediately upgrade the deothemes Ona theme to version 1.24 or later, which contains the patch for this file upload vulnerability. Site administrators should access the WordPress theme management interface, deactivate the affected Ona theme, upgrade to the patched version, and reactivate it. Until patching is completed, implement server-side file upload restrictions by adding rules to the web server configuration (Apache/Nginx) to deny execution of scripts in the uploads directory, restrict uploads to a whitelist of safe file extensions (JPEG, PNG, PDF only), and ensure the uploads directory is not executable. Additionally, review upload logs for any suspicious PHP, JSP, or executable files that may have been uploaded during the vulnerability window, and consider running a WordPress security scanner to detect injected web shells.

Share

CVE-2026-32482 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy