CVE-2026-1555

WebStack · WebStack Theme for WordPress

The WebStack WordPress theme contains an arbitrary file upload vulnerability in the io_img_upload() function, allowing unauthenticated attackers to execute remote code.

Executive summary

An unauthenticated arbitrary file upload vulnerability in the WebStack WordPress theme allows remote attackers to achieve full site compromise via malicious code execution.

Vulnerability

The io_img_upload() function lacks necessary file type validation, enabling an unauthenticated attacker to upload arbitrary files to the server. This flaw facilitates Remote Code Execution (RCE) by allowing the upload and subsequent execution of malicious scripts.

Business impact

With a CVSS score of 9.8, this vulnerability is critical as it allows complete site takeover without authentication. Successful exploitation can lead to data exfiltration, defacement, and the deployment of persistent backdoors or ransomware within the web server environment.

Remediation

Immediate Action: Update the WebStack theme to the latest version available; if no patch is available, disable the theme immediately.

Proactive Monitoring: Audit the server's uploads directory for unauthorized or anomalous file types and review web server logs for suspicious POST requests.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block unauthorized file uploads and restrict access to the upload directory.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Immediate remediation is required to prevent total site compromise. Administrators should verify the integrity of their WordPress installations and ensure that directory permissions prevent the execution of scripts in upload folders.