Skip to main content

Charity Zone

1 CVEs product

Monthly

CVE-2026-40749 CRITICAL Act Now

Arbitrary file upload in the Charity Zone WordPress theme (versions 1.1.1 and prior) allows authenticated users with only Subscriber-level privileges to upload files of attacker-chosen type, leading to remote code execution under the web server context. The flaw was disclosed via Patchstack and carries a CVSS 9.9 due to the scope change from a low-privileged WordPress role to full server compromise. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

File Upload Charity Zone
NVD
CVSS 3.1
9.9
EPSS
0.4%
EPSS 0% CVSS 9.9
CRITICAL Act Now

Arbitrary file upload in the Charity Zone WordPress theme (versions 1.1.1 and prior) allows authenticated users with only Subscriber-level privileges to upload files of attacker-chosen type, leading to remote code execution under the web server context. The flaw was disclosed via Patchstack and carries a CVSS 9.9 due to the scope change from a low-privileged WordPress role to full server compromise. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

File Upload Charity Zone
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy