CVE-2025-68555
zozothemes · Nutrie
An unrestricted file upload vulnerability in zozothemes Nutrie allows unauthenticated attackers to upload web shells to the server.
Executive summary
The zozothemes Nutrie theme contains a critical unrestricted file upload vulnerability that allows remote attackers to execute arbitrary code via web shell deployment.
Vulnerability
This vulnerability stems from improper validation of file types during the upload process, enabling attackers to bypass restrictions and upload malicious files. The flaw is exploitable by unauthenticated users, granting them the ability to place a web shell on the underlying web server.
Business impact
The ability to upload a web shell provides an attacker with persistent, unauthorized control over the server environment. With a CVSS score of 9.9, this vulnerability presents an immediate risk of full system compromise, including the potential for data exfiltration, lateral movement within the network, and complete service disruption.
Remediation
Immediate Action: Update the Nutrie theme to version 2.0.1 or higher immediately to address the insecure file upload logic.
Proactive Monitoring: Audit the web server's upload directories for the presence of unrecognized executable files (e.g., .php, .phtml) and monitor access logs for anomalous file upload patterns.
Compensating Controls: Configure the web server to disable script execution in upload directories and deploy a WAF to filter for common web shell signatures and file extension bypass attempts.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the ease of exploitation and the severity of the impact, this vulnerability must be treated as a high-priority remediation task. Administrators should verify the integrity of their web directory and ensure that all theme components are updated to the vendor-recommended secure versions.