Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Network-reachable WordPress upload endpoint (AV:N/AC:L), requires Subscriber auth (PR:L), no user interaction, RCE breaches WordPress app boundary into OS (S:C) with full CIA impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Subscriber Arbitrary File Upload in Ecommerce Zone <= 0.9.7 versions.
AnalysisAI
Arbitrary file upload in the Ecommerce Zone WordPress theme (versions <= 0.9.7) allows authenticated low-privileged users (Subscriber role) to upload files of attacker-chosen types, resulting in a CVSS 9.9 critical scoring with scope change. No public exploit identified at time of analysis, and the issue was reported by Patchstack via their WordPress vulnerability database. Successful exploitation typically leads to remote code execution on the underlying web server.
Technical ContextAI
Ecommerce Zone is a commercial WordPress theme by themagnifico52 (CPE: cpe:2.3:a:themagnifico52:ecommerce_zone). The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), meaning a theme-exposed upload handler fails to validate file extension, MIME type, or content before persisting attacker-supplied files into the WordPress filesystem. Because WordPress serves files from the uploads directory and themes often expose AJAX/REST endpoints accessible to any logged-in role, a Subscriber - the lowest-privilege authenticated WordPress role and the default for open registration sites - can reach the vulnerable endpoint and drop a PHP file that is then executable by the web server user.
RemediationAI
No vendor-released patch identified at time of analysis - the provided Patchstack entry covers versions <= 0.9.7 but does not specify a fixed release. Site operators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/theme/ecommerce-zone/vulnerability/wordpress-ecommerce-zone-theme-0-9-7-arbitrary-file-upload-vulnerability) for fix availability and, until a patched theme version is published, apply compensating controls: disable open user registration via Settings > General (trade-off: blocks legitimate customer self-signup, which may be unacceptable for eCommerce use cases); deploy a WAF rule (e.g., Patchstack mU or Wordfence) that blocks the vulnerable upload endpoint for non-admin roles; enforce filesystem-level execution restrictions on wp-content/uploads by adding a deny rule for .php/.phtml/.phar execution in the web server config (trade-off: may break legitimate plugins that intentionally execute from uploads); and consider switching to an alternative theme if a fix is not released promptly. After remediation, audit wp-content/uploads and the theme directory for any unrecognized PHP files and review web server access logs for POSTs from Subscriber accounts.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37599