CVE-2025-30996
Unrestricted File Upload in Themify Themes Enables Remote Code Execution
Publication date: 2026-01-06
Last updated on: 2026-04-28
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| themify | themify_sidepane | to 1.9.8 (inc) |
| themify | themify_newsy | to 1.9.9 (inc) |
| themify | themify_folo | to 1.9.6 (inc) |
| themify | themify_edmin | to 2.0.0 (inc) |
| themify | bloggie | to 2.0.8 (inc) |
| themify | photobox | to 2.0.1 (inc) |
| themify | wigi | to 2.0.1 (inc) |
| themify | rezo | to 1.9.7 (inc) |
| themify | slide | to 1.7.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-30996 is an Arbitrary File Upload vulnerability affecting multiple Themify WordPress themes. It allows an attacker with at least Contributor or Developer privileges to upload arbitrary files, including dangerous web shells or backdoors, to the web server. These malicious files can then be executed to gain unauthorized access and control over the website. The vulnerability is highly severe with a CVSS score of 9.9 and is classified under OWASP Top 10 categories such as Injection and Security Misconfiguration. No official fixes are currently available, but mitigations from Patchstack can help block exploitation attempts. [1, 2, 3, 4, 5, 6, 7, 8, 9]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access to your website by allowing attackers to upload and execute malicious files like web shells or backdoors. This can lead to full compromise of the website, data theft, defacement, or use of the site as a launchpad for further attacks. Because the attacker needs only Contributor or Developer privileges, it poses a significant risk even if the site has some user restrictions. The high CVSS score of 9.9 reflects the critical nature and likelihood of exploitation. [1, 2, 3, 4, 5, 6, 7, 8, 9]
What immediate steps should I take to mitigate this vulnerability?
Immediate steps to mitigate CVE-2025-30996 include applying the mitigation rules issued by Patchstack, which can block attacks exploiting this vulnerability until an official patch is released. Since no official fix is currently available for the affected Themify WordPress themes, users are strongly advised to implement these mitigation rules immediately to protect their websites from arbitrary file uploads and potential backdoors. These mitigation rules provide automated protection and ongoing security intelligence to safeguard affected installations. [1, 2, 3, 4, 5, 6, 7, 8, 9]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, given that the vulnerability allows unauthorized upload and execution of malicious files (web shells) leading to potential unauthorized access and data breaches, it could negatively affect compliance with data protection regulations that require safeguarding personal and sensitive data. Organizations using affected themes should mitigate this vulnerability promptly to reduce risks of data breaches and maintain compliance. [1, 2, 3, 4, 5, 6, 7, 8, 9]