Skip to main content

Webenvo EUVDEUVD-2026-37587

| CVE-2026-39589 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-06-17 Patchstack
9.9
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Network-reachable upload abusable by any Subscriber (PR:L, AC:L); writing executable files to webroot escapes the app sandbox (S:C) and yields full host-level C/I/A impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:21 vuln.today

DescriptionCVE.org

Subscriber Arbitrary File Upload in Webenvo <= 0.0.6 versions.

AnalysisAI

Arbitrary file upload in the Webenvo WordPress theme (versions <= 0.0.6) allows authenticated low-privilege users (Subscriber role) to upload arbitrary files, leading to remote code execution and full site compromise. The CVSS 9.9 score reflects scope change and high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Technical ContextAI

Webenvo is a WordPress theme published by a_wp_life. The vulnerability is rooted in CWE-434 (Unrestricted Upload of File with Dangerous Type), a common WordPress theme/plugin flaw where an upload handler - typically exposed via an AJAX action, REST endpoint, or admin-ajax hook - fails to enforce capability checks and/or fails to validate file type, extension, or MIME. Because WordPress maps the Subscriber role to the lowest authenticated tier, the access control gap effectively allows any registered user to write PHP or other executable content into the webroot, which Apache/PHP-FPM will then execute on request.

RemediationAI

Upstream fix availability is not confirmed from the provided data - the Patchstack advisory is the only reference and no patched version is cited, so administrators should treat this as: no vendor-released patch independently confirmed at time of analysis. Until a fixed Webenvo release is published, deactivate and replace the Webenvo theme on production sites, or at minimum disable user self-registration in WordPress (Settings → General → uncheck "Anyone can register") to remove the PR:L precondition; the trade-off is loss of community/membership functionality. Additional compensating controls: place a WAF rule or hardening plugin (e.g., Wordfence) to block uploads with executable extensions (.php, .phtml, .phar) to wp-content paths, and revoke any untrusted Subscriber accounts. Monitor https://patchstack.com/database/wordpress/theme/webenvo/vulnerability/wordpress-webenvo-theme-0-0-6-arbitrary-file-upload-vulnerability for the fixed version.

Share

EUVD-2026-37587 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy