Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Network-reachable upload abusable by any Subscriber (PR:L, AC:L); writing executable files to webroot escapes the app sandbox (S:C) and yields full host-level C/I/A impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Arbitrary File Upload in Webenvo <= 0.0.6 versions.
AnalysisAI
Arbitrary file upload in the Webenvo WordPress theme (versions <= 0.0.6) allows authenticated low-privilege users (Subscriber role) to upload arbitrary files, leading to remote code execution and full site compromise. The CVSS 9.9 score reflects scope change and high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Technical ContextAI
Webenvo is a WordPress theme published by a_wp_life. The vulnerability is rooted in CWE-434 (Unrestricted Upload of File with Dangerous Type), a common WordPress theme/plugin flaw where an upload handler - typically exposed via an AJAX action, REST endpoint, or admin-ajax hook - fails to enforce capability checks and/or fails to validate file type, extension, or MIME. Because WordPress maps the Subscriber role to the lowest authenticated tier, the access control gap effectively allows any registered user to write PHP or other executable content into the webroot, which Apache/PHP-FPM will then execute on request.
RemediationAI
Upstream fix availability is not confirmed from the provided data - the Patchstack advisory is the only reference and no patched version is cited, so administrators should treat this as: no vendor-released patch independently confirmed at time of analysis. Until a fixed Webenvo release is published, deactivate and replace the Webenvo theme on production sites, or at minimum disable user self-registration in WordPress (Settings → General → uncheck "Anyone can register") to remove the PR:L precondition; the trade-off is loss of community/membership functionality. Additional compensating controls: place a WAF rule or hardening plugin (e.g., Wordfence) to block uploads with executable extensions (.php, .phtml, .phar) to wp-content paths, and revoke any untrusted Subscriber accounts. Monitor https://patchstack.com/database/wordpress/theme/webenvo/vulnerability/wordpress-webenvo-theme-0-0-6-arbitrary-file-upload-vulnerability for the fixed version.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37587