CVE-2026-1555
WebStack · WebStack Theme for WordPress
The WebStack WordPress theme contains an arbitrary file upload vulnerability in the io_img_upload() function, allowing unauthenticated attackers to execute remote code.
Executive summary
An unauthenticated arbitrary file upload vulnerability in the WebStack WordPress theme allows remote attackers to achieve full site compromise via malicious code execution.
Vulnerability
The io_img_upload() function lacks necessary file type validation, enabling an unauthenticated attacker to upload arbitrary files to the server. This flaw facilitates Remote Code Execution (RCE) by allowing the upload and subsequent execution of malicious scripts.
Business impact
With a CVSS score of 9.8, this vulnerability is critical as it allows complete site takeover without authentication. Successful exploitation can lead to data exfiltration, defacement, and the deployment of persistent backdoors or ransomware within the web server environment.
Remediation
Immediate Action: Update the WebStack theme to the latest version available; if no patch is available, disable the theme immediately.
Proactive Monitoring: Audit the server's uploads directory for unauthorized or anomalous file types and review web server logs for suspicious POST requests.
Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block unauthorized file uploads and restrict access to the upload directory.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Immediate remediation is required to prevent total site compromise. Administrators should verify the integrity of their WordPress installations and ensure that directory permissions prevent the execution of scripts in upload folders.