CVE-2025-50002
BaseFortify
Publication date: 2026-01-22
Last updated on: 2026-04-27
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| farost | energia | From 1.1.0 (inc) to 1.1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the unrestricted upload of arbitrary files, including web shells, to WordPress sites using the Energia Theme up to version 1.1.2. Detection can focus on monitoring for suspicious file uploads or web shell files on the server. Since no official fix is available, Patchstack provides mitigation rules that can block exploitation attempts. Specific detection commands are not provided in the available resources. However, general approaches include scanning the web server upload directories for unexpected or executable files, checking web server logs for unusual POST requests to upload endpoints, and using web application firewalls with rules targeting this vulnerability. [1]
Can you explain this vulnerability to me?
CVE-2025-50002 is an Arbitrary File Upload vulnerability in the WordPress Energia Theme (up to version 1.1.2) that allows unauthenticated attackers to upload malicious files, such as web shells, to a web server. These files can then be executed to gain unauthorized access and control over the affected website. This vulnerability falls under the OWASP Top 10 category A5: Security Misconfiguration and has a critical severity with a CVSS score of 10. [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access to your website, execution of malicious code, potential full compromise of the web server, data theft, defacement, or use of the server for further attacks. Since it requires no privileges to exploit, any attacker can leverage it to gain control over your WordPress site using the affected Energia theme. [1]
What immediate steps should I take to mitigate this vulnerability?
Apply Patchstack's mitigation rule immediately, which blocks exploitation attempts of this vulnerability. Since no official patch or fixed version of the Energia Theme is currently available, using this mitigation provides the fastest protection until an official patch is released. Additionally, consider restricting file upload permissions and monitoring for suspicious upload activity as general best practices. [1]