CVE-2025-30996
Unknown Unknown - Not Provided
Unrestricted File Upload in Themify Themes Enables Remote Code Execution

Publication date: 2026-01-06

Last updated on: 2026-04-28

Assigner: Patchstack

Description
Unrestricted Upload of File with Dangerous Type vulnerability in Themify Themify Sidepane WordPress Theme, Themify Themify Newsy, Themify Themify Folo, Themify Themify Edmin, Themify Bloggie, Themify Photobox, Themify Wigi, Themify Rezo, Themify Slide allows Upload a Web Shell to a Web Server.This issue affects Themify Sidepane WordPress Theme: from n/a through 1.9.8; Themify Newsy: from n/a through 1.9.9; Themify Folo: from n/a through 1.9.6; Themify Edmin: from n/a through 2.0.0; Bloggie: from n/a through 2.0.8; Photobox: from n/a through 2.0.1; Wigi: from n/a through 2.0.1; Rezo: from n/a through 1.9.7; Slide: from n/a through 1.7.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-06
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2026-01-06
EPSS Evaluated
2026-06-15
NVD
CVE-2025-30996
EUVD
EUVD-2026-0951
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
themify themify_sidepane to 1.9.8 (inc)
themify themify_newsy to 1.9.9 (inc)
themify themify_folo to 1.9.6 (inc)
themify themify_edmin to 2.0.0 (inc)
themify bloggie to 2.0.8 (inc)
themify photobox to 2.0.1 (inc)
themify wigi to 2.0.1 (inc)
themify rezo to 1.9.7 (inc)
themify slide to 1.7.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-30996 is an Arbitrary File Upload vulnerability affecting multiple Themify WordPress themes. It allows an attacker with at least Contributor or Developer privileges to upload arbitrary files, including dangerous web shells or backdoors, to the web server. These malicious files can then be executed to gain unauthorized access and control over the website. The vulnerability is highly severe with a CVSS score of 9.9 and is classified under OWASP Top 10 categories such as Injection and Security Misconfiguration. No official fixes are currently available, but mitigations from Patchstack can help block exploitation attempts. [1, 2, 3, 4, 5, 6, 7, 8, 9]

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to your website by allowing attackers to upload and execute malicious files like web shells or backdoors. This can lead to full compromise of the website, data theft, defacement, or use of the site as a launchpad for further attacks. Because the attacker needs only Contributor or Developer privileges, it poses a significant risk even if the site has some user restrictions. The high CVSS score of 9.9 reflects the critical nature and likelihood of exploitation. [1, 2, 3, 4, 5, 6, 7, 8, 9]

Mitigation Strategies

Immediate steps to mitigate CVE-2025-30996 include applying the mitigation rules issued by Patchstack, which can block attacks exploiting this vulnerability until an official patch is released. Since no official fix is currently available for the affected Themify WordPress themes, users are strongly advised to implement these mitigation rules immediately to protect their websites from arbitrary file uploads and potential backdoors. These mitigation rules provide automated protection and ongoing security intelligence to safeguard affected installations. [1, 2, 3, 4, 5, 6, 7, 8, 9]

Compliance Impact

The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, given that the vulnerability allows unauthorized upload and execution of malicious files (web shells) leading to potential unauthorized access and data breaches, it could negatively affect compliance with data protection regulations that require safeguarding personal and sensitive data. Organizations using affected themes should mitigate this vulnerability promptly to reduce risks of data breaches and maintain compliance. [1, 2, 3, 4, 5, 6, 7, 8, 9]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-30996. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart