Skip to main content

Webenvo CVE-2026-39589

| EUVDEUVD-2026-37587 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-06-17 Patchstack
9.9
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Network-reachable upload abusable by any Subscriber (PR:L, AC:L); writing executable files to webroot escapes the app sandbox (S:C) and yields full host-level C/I/A impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:21 vuln.today

DescriptionCVE.org

Subscriber Arbitrary File Upload in Webenvo <= 0.0.6 versions.

AnalysisAI

Arbitrary file upload in the Webenvo WordPress theme (versions <= 0.0.6) allows authenticated low-privilege users (Subscriber role) to upload arbitrary files, leading to remote code execution and full site compromise. The CVSS 9.9 score reflects scope change and high impact across confidentiality, integrity, and availability. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register Subscriber account on target site
Delivery
Authenticate to WordPress
Exploit
Send crafted upload request to Webenvo theme endpoint
Execution
Write PHP webshell to webroot
Persist
Request shell URL to execute commands
Impact
Achieve RCE and site takeover

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) a WordPress site running the Webenvo theme at version 0.0.6 or earlier, and (2) the attacker holding a valid Subscriber-level (or higher) account on that site - implying either open user registration is enabled (Settings → General → "Anyone can register"), or the attacker has obtained Subscriber credentials through another means. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) signals a high-impact, low-complexity, network-reachable flaw requiring only minimal privileges, which is consistent with a Subscriber-level WordPress account on a site that permits open registration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free Subscriber account on a WordPress site running the Webenvo theme, then sends a crafted HTTP POST to the vulnerable upload endpoint containing a PHP webshell disguised as an allowed file type. Once the file lands in an accessible directory under wp-content, the attacker requests the shell URL to execute arbitrary commands as the web server user, pivoting to full site takeover and potentially the host.
Remediation Upstream fix availability is not confirmed from the provided data - the Patchstack advisory is the only reference and no patched version is cited, so administrators should treat this as: no vendor-released patch independently confirmed at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress installations for Webenvo theme presence and version; disable the theme immediately if found. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-39589 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy