Skip to main content

Zegen

2 CVEs product

Monthly

CVE-2026-27419 CRITICAL Act Now

Arbitrary file upload in the Zegen WordPress theme (versions 1.1.9 and earlier) lets a low-privileged authenticated user (Subscriber role) upload files without adequate type validation, enabling upload of executable PHP and full site compromise. The CVSS 3.1 base score is 9.9 with a scope change, reflecting that a minimally-privileged account can escalate to server-level code execution. Reported by Patchstack; no public exploit identified at time of analysis and it is not listed in CISA KEV.

File Upload Zegen
NVD
CVSS 3.1
9.9
EPSS
0.4%
CVE-2025-2289 MEDIUM This Month

The Zegen - Church WordPress Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX endpoints in all versions up to, and including, 1.1.9. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Zegen PHP
NVD
CVSS 3.1
4.3
EPSS
0.1%
EPSS 0% CVSS 9.9
CRITICAL Act Now

Arbitrary file upload in the Zegen WordPress theme (versions 1.1.9 and earlier) lets a low-privileged authenticated user (Subscriber role) upload files without adequate type validation, enabling upload of executable PHP and full site compromise. The CVSS 3.1 base score is 9.9 with a scope change, reflecting that a minimally-privileged account can escalate to server-level code execution. Reported by Patchstack; no public exploit identified at time of analysis and it is not listed in CISA KEV.

File Upload Zegen
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Zegen - Church WordPress Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX endpoints in all versions up to, and including, 1.1.9. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Zegen +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy