Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Remote HTTP upload (AV:N/AC:L), low-privileged WordPress account required (PR:L), no user interaction, and web shell execution breaks out of the app to the host (S:C, C/I/A:H).
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type vulnerability in themagnifico52 Kids Online Store allows Upload a Web Shell to a Web Server.
This issue affects Kids Online Store: from n/a through 0.8.9.
AnalysisAI
Arbitrary file upload in the Kids Online Store WordPress theme (versions up to and including 0.8.9) by themagnifico52 allows authenticated attackers to upload web shells and achieve remote code execution on the underlying server. The flaw is reported by Patchstack and carries a CVSS 3.1 score of 9.9 due to the scope-changing impact on the WordPress host. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Technical ContextAI
Kids Online Store is a commercial WordPress theme distributed by the vendor themagnifico52, identified by CPE cpe:2.3:a:themagnifico52:kids_online_store. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), in which a file upload handler exposed by the theme fails to validate file extensions, MIME types, or content before writing user-supplied files into a web-accessible directory. Because WordPress executes PHP files placed within the document root, an attacker who uploads a PHP web shell can have it interpreted on the next HTTP request, turning a file-write primitive into full code execution under the web server account.
RemediationAI
No vendor-released patch identified at time of analysis; the Patchstack advisory at https://patchstack.com/database/wordpress/theme/kids-online-store/vulnerability/wordpress-kids-online-store-theme-0-8-9-arbitrary-file-upload-vulnerability lists affected versions through 0.8.9 without a confirmed fixed release. As compensating controls, administrators should deactivate and remove the Kids Online Store theme until the vendor releases a patched version (trade-off: loss of the site's current design), or place the upload endpoint behind a WAF rule that blocks requests with PHP, PHTML, or other executable extensions and enforces MIME validation. Additionally, set the theme's upload directory to disallow PHP execution via an .htaccess or nginx location rule denying script handlers (trade-off: may break legitimate features that rely on dynamic uploads), restrict WordPress user registration and audit existing low-privilege accounts to reduce the population of accounts that could meet the PR:L precondition, and monitor wp-content directories for newly created PHP files.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37065
GHSA-mg2v-229h-59xq