Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Network-reachable WordPress endpoint with only Subscriber auth (PR:L), no user interaction, and arbitrary file upload yielding RCE that escapes the theme's security scope (S:C, C/I/A:H).
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Arbitrary File Upload in Kids Gift Shop <= 0.5.4 versions.
AnalysisAI
Arbitrary file upload in the Kids Gift Shop WordPress theme (versions 0.5.4 and earlier) allows authenticated users with Subscriber-level privileges to upload arbitrary files to the server. The CVSS 3.1 score of 9.9 with scope change reflects the potential for remote code execution leading to full site compromise, and no public exploit identified at time of analysis.
Technical ContextAI
The vulnerability resides in the Kids Gift Shop WordPress theme by themagnifico52, identified by CPE cpe:2.3:a:themagnifico52:kids_gift_shop. CWE-434 (Unrestricted Upload of File with Dangerous Type) is the root cause class - a file upload handler in the theme fails to properly validate file extensions, MIME types, or content, allowing executable PHP files to be written into web-accessible directories. WordPress themes that expose AJAX endpoints or admin-ajax handlers without proper capability checks frequently exhibit this pattern, where the nopriv or low-privilege hook is accessible to any logged-in user including Subscribers, the lowest authenticated WordPress role typically granted via open registration.
RemediationAI
No vendor-released patch identified at time of analysis - the Patchstack advisory lists versions <= 0.5.4 as affected without referencing a fixed release. Site operators should immediately deactivate and remove the Kids Gift Shop theme from any production WordPress installation until the vendor publishes a patched version, monitoring https://patchstack.com/database/wordpress/theme/kids-gift-shop/vulnerability/wordpress-kids-gift-shop-theme-0-5-4-arbitrary-file-upload-vulnerability for updates. As compensating controls, disable open user registration in WordPress general settings to eliminate the Subscriber-account attack surface (side effect: blocks legitimate self-service signups), enforce a Web Application Firewall rule blocking POST requests to the theme's upload endpoints (side effect: may break legitimate theme features), and restrict PHP execution within wp-content/uploads via webserver configuration (side effect: breaks plugins that rely on uploads-directory execution).
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37600