Skip to main content

Kids Gift Shop CVE-2026-40748

| EUVDEUVD-2026-37600 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-06-17 Patchstack
9.9
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Network-reachable WordPress endpoint with only Subscriber auth (PR:L), no user interaction, and arbitrary file upload yielding RCE that escapes the theme's security scope (S:C, C/I/A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:15 vuln.today

DescriptionCVE.org

Subscriber Arbitrary File Upload in Kids Gift Shop <= 0.5.4 versions.

AnalysisAI

Arbitrary file upload in the Kids Gift Shop WordPress theme (versions 0.5.4 and earlier) allows authenticated users with Subscriber-level privileges to upload arbitrary files to the server. The CVSS 3.1 score of 9.9 with scope change reflects the potential for remote code execution leading to full site compromise, and no public exploit identified at time of analysis.

Technical ContextAI

The vulnerability resides in the Kids Gift Shop WordPress theme by themagnifico52, identified by CPE cpe:2.3:a:themagnifico52:kids_gift_shop. CWE-434 (Unrestricted Upload of File with Dangerous Type) is the root cause class - a file upload handler in the theme fails to properly validate file extensions, MIME types, or content, allowing executable PHP files to be written into web-accessible directories. WordPress themes that expose AJAX endpoints or admin-ajax handlers without proper capability checks frequently exhibit this pattern, where the nopriv or low-privilege hook is accessible to any logged-in user including Subscribers, the lowest authenticated WordPress role typically granted via open registration.

RemediationAI

No vendor-released patch identified at time of analysis - the Patchstack advisory lists versions <= 0.5.4 as affected without referencing a fixed release. Site operators should immediately deactivate and remove the Kids Gift Shop theme from any production WordPress installation until the vendor publishes a patched version, monitoring https://patchstack.com/database/wordpress/theme/kids-gift-shop/vulnerability/wordpress-kids-gift-shop-theme-0-5-4-arbitrary-file-upload-vulnerability for updates. As compensating controls, disable open user registration in WordPress general settings to eliminate the Subscriber-account attack surface (side effect: blocks legitimate self-service signups), enforce a Web Application Firewall rule blocking POST requests to the theme's upload endpoints (side effect: may break legitimate theme features), and restrict PHP execution within wp-content/uploads via webserver configuration (side effect: breaks plugins that rely on uploads-directory execution).

Share

CVE-2026-40748 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy