CVE-2026-40748
Deferred Deferred - Pending Action
Subscriber Arbitrary File Upload in Kids Gift Shop

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Subscriber Arbitrary File Upload in Kids Gift Shop <= 0.5.4 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-40748
EUVD
EUVD-2026-37600
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack kids_gift_shop_theme to 0.5.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WordPress Kids Gift Shop Theme, versions 0.5.4 and below, contains an Arbitrary File Upload vulnerability. This flaw allows attackers with Subscriber-level privileges to upload malicious files, such as backdoors, to the affected website. Exploiting this vulnerability can lead to unauthorized access and control over the site.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to your website by attackers who upload malicious files. These files can be used to execute harmful actions such as installing backdoors, which compromise the confidentiality, integrity, and availability of your site and its data.

Detection Guidance

This vulnerability involves arbitrary file upload by users with Subscriber-level privileges in the Kids Gift Shop WordPress theme version 0.5.4 and below. Detection can focus on identifying suspicious file uploads or unauthorized files on the web server.

  • Check the uploads directory for recently added or modified files that are unusual or unexpected.
  • Use commands like 'find' on the server to locate recently modified files, for example: find /path/to/wp-content/uploads -type f -mtime -7
  • Review web server logs for POST requests to file upload endpoints related to the Kids Gift Shop theme.
  • Use tools like 'grep' to search for suspicious file extensions or filenames in the uploads directory.
  • Monitor for unexpected PHP or executable files in upload directories, which could indicate backdoor uploads.
Mitigation Strategies

The immediate and recommended mitigation is to update the Kids Gift Shop WordPress theme to version 0.5.5 or later, which contains the patch for this vulnerability.

Until the update can be applied, users should apply Patchstack's provided rule to block attacks exploiting this vulnerability.

Additionally, restrict or monitor Subscriber-level user privileges to prevent exploitation.

Regularly audit uploaded files and server logs for suspicious activity.

Compliance Impact

The vulnerability allows attackers to upload arbitrary malicious files, including backdoors, potentially leading to unauthorized access to the affected website.

Such unauthorized access and potential data breaches could result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data.

Therefore, if exploited, this vulnerability could compromise data confidentiality, integrity, and availability, impacting compliance obligations under these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40748. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart