Skip to main content

TemplateSpare CVE-2026-57658

| EUVDEUVD-2026-39663 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-06-26 audit@patchstack.com GHSA-98gc-mw7m-prrh
9.1
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
7.2 HIGH

Admin-only upload sets PR:H with AV:N/AC:L/UI:N; webshell RCE yields C/I/A:H, but the compromise stays within the same WordPress host so S:U rather than S:C.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:46 vuln.today

DescriptionCVE.org

Administrator Arbitrary File Upload in TemplateSpare <= 4.2.0 versions.

AnalysisAI

Arbitrary file upload in the TemplateSpare WordPress plugin (versions 4.2.0 and earlier) allows an authenticated administrator-level user to upload files of dangerous types, enabling deployment of a PHP web shell and full server compromise. The flaw was reported by Patchstack and carries a CVSS of 9.1, but exploitation requires existing high-privilege (Administrator) access. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain WordPress Administrator credentials
Delivery
Access TemplateSpare upload feature
Exploit
Upload PHP file bypassing type checks
Execution
Request uploaded webshell URL
Persist
Execute arbitrary code on server
Impact
Full site/host compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress account with Administrator privileges (CVSS PR:H), and the TemplateSpare plugin (<= 4.2.0) must be installed and active. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals conflict in a way defenders should weigh carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained WordPress Administrator access - via credential theft, phishing, or an over-provisioned internal account - uses the TemplateSpare upload functionality to upload a PHP web shell instead of a legitimate template asset. They then browse to the uploaded file to execute commands, establishing persistent remote control of the site and underlying host. …
Remediation No vendor-released patch version was identified in the provided data; consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/templatespare/vulnerability/wordpress-templatespare-plugin-4-2-0-arbitrary-file-upload-vulnerability?_s_id=cve) and the WordPress.org plugin page for an updated release above 4.2.0 and upgrade as soon as one is available. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all TemplateSpare installations for versions 4.2.0 or earlier; disable the plugin immediately if non-critical. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57658 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy