Skip to main content

Ecommerce Zone EUVDEUVD-2026-37599

| CVE-2026-40747 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-06-17 Patchstack
9.9
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Network-reachable WordPress upload endpoint (AV:N/AC:L), requires Subscriber auth (PR:L), no user interaction, RCE breaches WordPress app boundary into OS (S:C) with full CIA impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 17, 2026 - 12:16 vuln.today
CVE Published
Jun 17, 2026 - 09:51 cve.org
CRITICAL 9.9

DescriptionCVE.org

Subscriber Arbitrary File Upload in Ecommerce Zone <= 0.9.7 versions.

AnalysisAI

Arbitrary file upload in the Ecommerce Zone WordPress theme (versions <= 0.9.7) allows authenticated low-privileged users (Subscriber role) to upload files of attacker-chosen types, resulting in a CVSS 9.9 critical scoring with scope change. No public exploit identified at time of analysis, and the issue was reported by Patchstack via their WordPress vulnerability database. Successful exploitation typically leads to remote code execution on the underlying web server.

Technical ContextAI

Ecommerce Zone is a commercial WordPress theme by themagnifico52 (CPE: cpe:2.3:a:themagnifico52:ecommerce_zone). The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), meaning a theme-exposed upload handler fails to validate file extension, MIME type, or content before persisting attacker-supplied files into the WordPress filesystem. Because WordPress serves files from the uploads directory and themes often expose AJAX/REST endpoints accessible to any logged-in role, a Subscriber - the lowest-privilege authenticated WordPress role and the default for open registration sites - can reach the vulnerable endpoint and drop a PHP file that is then executable by the web server user.

RemediationAI

No vendor-released patch identified at time of analysis - the provided Patchstack entry covers versions <= 0.9.7 but does not specify a fixed release. Site operators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/theme/ecommerce-zone/vulnerability/wordpress-ecommerce-zone-theme-0-9-7-arbitrary-file-upload-vulnerability) for fix availability and, until a patched theme version is published, apply compensating controls: disable open user registration via Settings > General (trade-off: blocks legitimate customer self-signup, which may be unacceptable for eCommerce use cases); deploy a WAF rule (e.g., Patchstack mU or Wordfence) that blocks the vulnerable upload endpoint for non-admin roles; enforce filesystem-level execution restrictions on wp-content/uploads by adding a deny rule for .php/.phtml/.phar execution in the web server config (trade-off: may break legitimate plugins that intentionally execute from uploads); and consider switching to an alternative theme if a fix is not released promptly. After remediation, audit wp-content/uploads and the theme directory for any unrecognized PHP files and review web server access logs for POSTs from Subscriber accounts.

Share

EUVD-2026-37599 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy