Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Network-reachable WordPress endpoint (AV:N/AC:L), Subscriber auth required (PR:L), no admin interaction (UI:N), and arbitrary PHP upload escapes the theme sandbox to compromise the host (S:C, C/I/A:H).
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Arbitrary File Upload in Restaurt <= 1.0.4 versions.
AnalysisAI
Arbitrary file upload in the Restaurt WordPress theme versions 1.0.4 and earlier allows authenticated users with Subscriber-level privileges to upload arbitrary files, potentially leading to remote code execution on the WordPress host. The CVSS 9.9 score reflects scope-changed impact across confidentiality, integrity, and availability, though no public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.
Technical ContextAI
Restaurt is a commercial WordPress theme developed by ZozoThemes (CPE cpe:2.3:a:zozothemes:restaurt) and typically deployed on restaurant/hospitality sites. The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type), meaning the theme exposes an upload handler that does not adequately validate file extension, MIME type, or content before writing to the WordPress uploads directory. Because WordPress Subscriber is the lowest authenticated role (intended for commenters), upload functionality should never be reachable to it - the flaw most likely lies in an AJAX endpoint or REST route registered by the theme that lacks a proper capability check (e.g., missing current_user_can() or relying solely on a nonce).
RemediationAI
No vendor-released patch identified at time of analysis - the Patchstack advisory documents the flaw in versions ≤1.0.4 but the provided data does not name a fixed release; site operators should check ZozoThemes for an updated Restaurt version newer than 1.0.4 and apply it, monitoring the advisory at https://patchstack.com/database/wordpress/theme/restaurt/vulnerability/wordpress-restaurt-theme-1-0-4-arbitrary-file-upload-vulnerability for fix confirmation. As compensating controls until a patch is confirmed, disable open user registration in WordPress (Settings → General → uncheck 'Anyone can register') which removes the primary path to acquiring the Subscriber role, deploy a virtual patch via Patchstack/Wordfence WAF rules targeting the vulnerable upload endpoint, and add a web-server rule denying execution of PHP files within wp-content/uploads (trade-off: breaks any legitimate plugin that intentionally serves PHP from uploads, which is rare).
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37650