Skip to main content

Kids Online Store CVE-2026-40750

| EUVDEUVD-2026-37065 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-06-16 Patchstack GHSA-mg2v-229h-59xq
9.9
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Remote HTTP upload (AV:N/AC:L), low-privileged WordPress account required (PR:L), no user interaction, and web shell execution breaks out of the app to the host (S:C, C/I/A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 11:50 vuln.today

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type vulnerability in themagnifico52 Kids Online Store allows Upload a Web Shell to a Web Server.

This issue affects Kids Online Store: from n/a through 0.8.9.

AnalysisAI

Arbitrary file upload in the Kids Online Store WordPress theme (versions up to and including 0.8.9) by themagnifico52 allows authenticated attackers to upload web shells and achieve remote code execution on the underlying server. The flaw is reported by Patchstack and carries a CVSS 3.1 score of 9.9 due to the scope-changing impact on the WordPress host. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Technical ContextAI

Kids Online Store is a commercial WordPress theme distributed by the vendor themagnifico52, identified by CPE cpe:2.3:a:themagnifico52:kids_online_store. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), in which a file upload handler exposed by the theme fails to validate file extensions, MIME types, or content before writing user-supplied files into a web-accessible directory. Because WordPress executes PHP files placed within the document root, an attacker who uploads a PHP web shell can have it interpreted on the next HTTP request, turning a file-write primitive into full code execution under the web server account.

RemediationAI

No vendor-released patch identified at time of analysis; the Patchstack advisory at https://patchstack.com/database/wordpress/theme/kids-online-store/vulnerability/wordpress-kids-online-store-theme-0-8-9-arbitrary-file-upload-vulnerability lists affected versions through 0.8.9 without a confirmed fixed release. As compensating controls, administrators should deactivate and remove the Kids Online Store theme until the vendor releases a patched version (trade-off: loss of the site's current design), or place the upload endpoint behind a WAF rule that blocks requests with PHP, PHTML, or other executable extensions and enforces MIME validation. Additionally, set the theme's upload directory to disallow PHP execution via an .htaccess or nginx location rule denying script handlers (trade-off: may break legitimate features that rely on dynamic uploads), restrict WordPress user registration and audit existing low-privilege accounts to reduce the population of accounts that could meet the PR:L precondition, and monitor wp-content directories for newly created PHP files.

Share

CVE-2026-40750 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy