CVE-2026-24960
Unrestricted File Upload in Charety β€ 2.0.2 Enables Malicious Files
Publication date: 2026-03-05
Last updated on: 2026-03-09
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zozothemes | charety | to 2.0.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24960 is a high-priority Arbitrary File Upload vulnerability affecting the WordPress Charety Theme versions prior to 2.0.2.
This vulnerability allows a malicious actor to upload any type of file, including dangerous files such as backdoors, to the affected website.
It is classified under OWASP Top 10 A3: Injection and can be exploited by users with subscriber or developer privileges.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to unauthorized execution of malicious code on your website.
Attackers can gain further access and control over the website, potentially compromising its integrity, confidentiality, and availability.
This can result in data breaches, defacement, or use of the website as a platform for further attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability allows arbitrary file uploads, including malicious files such as backdoors, to the affected WordPress Charety Theme versions prior to 2.0.2.
Detection can involve checking for unexpected or suspicious files uploaded to the website directories, especially files with dangerous extensions or unexpected content.
Since the vulnerability requires subscriber or developer privileges to exploit, monitoring user activities and uploads for unusual behavior is also recommended.
Specific commands are not provided in the available resources, but common approaches include scanning the web server upload directories for recently added files with suspicious extensions or content, and reviewing web server logs for unusual POST requests related to file uploads.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the WordPress Charety Theme to version 2.0.2 or later, where the vulnerability has been patched.
Until the patch is applied, using the automatic mitigation rule provided by Patchstack can help block attacks targeting this vulnerability, offering rapid protection.