CVE-2026-1555
Arbitrary File Upload in WebStack WordPress Theme Enables RCE
Publication date: 2026-04-15
Last updated on: 2026-04-15
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| owen0o0 | webstack | to 1.2024 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WebStack theme for WordPress contains a vulnerability in the io_img_upload() function where there is missing file type validation. This flaw allows unauthenticated attackers to upload arbitrary files to the affected site's server.
Because the function does not properly check the type of files being uploaded, attackers can potentially upload malicious files that could lead to remote code execution on the server.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized remote code execution on your server.
An attacker could upload malicious files without authentication, which might allow them to execute arbitrary code, compromise your website, steal data, or take control of your server.
The CVSS score of 9.8 indicates a critical severity with high impact on confidentiality, integrity, and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves arbitrary file uploads via the io_img_upload() function in the WebStack WordPress theme, which accepts files without proper file type validation.
To detect exploitation attempts on your system or network, you can monitor HTTP requests targeting the AJAX endpoint responsible for image uploads, typically by looking for POST requests to the AJAX handler with the action parameter set to 'img_upload'.
Example commands to detect suspicious uploads include:
- Using web server logs (e.g., Apache or Nginx) to search for POST requests to admin-ajax.php with 'action=img_upload':
- grep 'POST /wp-admin/admin-ajax.php' /var/log/apache2/access.log | grep 'action=img_upload'
- Checking for uploaded files with suspicious extensions or unexpected file types in the WordPress uploads directory.
- Using file integrity monitoring tools to detect new or modified files in the uploads directory.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Update the WebStack theme to a version that patches the vulnerability, if available.
- If an update is not available, temporarily disable or restrict access to the vulnerable AJAX upload functionality, for example by restricting access to the 'img_upload' AJAX action to authenticated users only.
- Implement server-side file type validation and restrict allowed file extensions to safe image types only.
- Use Web Application Firewall (WAF) rules to block suspicious file upload attempts targeting the vulnerable endpoint.
- Monitor your server for any unauthorized uploaded files and remove them.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to upload arbitrary files to the affected WordPress site, potentially leading to remote code execution. This could result in unauthorized access to sensitive data or disruption of services.
Such unauthorized access and potential data breaches could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require organizations to protect personal and sensitive information from unauthorized access and ensure system integrity.
Therefore, exploitation of this vulnerability could lead to violations of these standards due to compromised confidentiality, integrity, and availability of data.