CVE-2025-68553
Unrestricted File Upload in Lendiz β€ 2.0.1 Enables Web Shell Upload
Publication date: 2026-03-05
Last updated on: 2026-03-05
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zozothemes | lendiz | to 2.0.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68553 is an Arbitrary File Upload vulnerability in the WordPress Lendiz Theme versions prior to 2.0.1.
This vulnerability allows an attacker to upload any type of file, including dangerous files like web shells, to a website using the vulnerable theme.
Once uploaded, these files can be executed by the attacker to gain unauthorized access and control over the website.
The vulnerability is classified under OWASP Top 10 category A3: Injection and has a critical CVSS score of 9.9.
It requires only subscriber-level privileges to exploit, making it easier for attackers to leverage.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access to your website.
Attackers can upload backdoors or web shells, which allow them to execute arbitrary commands, manipulate website content, steal data, or use the site as a platform for further attacks.
Such unauthorized control can lead to website defacement, data breaches, loss of customer trust, and potential downtime.
Because the vulnerability requires only subscriber-level access, it increases the risk that even low-privileged users can compromise the site.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability allows an attacker to upload arbitrary files, including web shells, to a website using the vulnerable Lendiz theme. Detection can involve scanning the web server for unexpected or suspicious files, especially those that could be web shells.
Specific commands are not provided in the available resources, but common approaches include:
- Searching the web server directories for recently added or modified files with suspicious extensions (e.g., .php, .phtml) that could be web shells.
- Using file integrity monitoring tools to detect unauthorized file uploads.
- Reviewing web server logs for unusual POST requests or file upload activity targeting the Lendiz theme upload endpoints.
What immediate steps should I take to mitigate this vulnerability?
The primary immediate mitigation step is to update the Lendiz theme to version 2.0.1 or later, where the vulnerability has been patched.
Until the update can be applied, it is recommended to implement the mitigation rule provided by Patchstack that can block attacks exploiting this vulnerability.
Additionally, consider using automated vulnerability mitigation services offered by Patchstack to help secure the WordPress site against exploitation.