What the vulnerability does
01Description
Unrestricted Upload of File with Dangerous Type vulnerability in Themify Themify Sidepane WordPress Theme, Themify Themify Newsy, Themify Themify Folo, Themify Themify Edmin, Themify Bloggie, Themify Photobox, Themify Wigi, Themify Rezo, Themify Slide allows Upload a Web Shell to a Web Server.This issue affects Themify Sidepane WordPress Theme: from n/a through 1.9.8; Themify Newsy: from n/a through 1.9.9; Themify Folo: from n/a through 1.9.6; Themify Edmin: from n/a through 2.0.0; Bloggie: from n/a through 2.0.8; Photobox: from n/a through 2.0.1; Wigi: from n/a through 2.0.1; Rezo: from n/a through 1.9.7; Slide: from n/a through 1.7.5.
Explanation of Vulnerability in Simple Terms
02Summary
The Themify Sidepane WordPress theme through version 1.9.8 does not properly validate file uploads, allowing authenticated users to upload arbitrary files to the server. An attacker with a low-privilege account can upload malicious files, potentially gaining control over the site's content and functionality. This vulnerability affects all users and administrators on the site.
What an attacker can do
03Attacker Capabilities
Upload arbitrary files to the server and execute code or modify site content.
Potential impact on your site
04Site Impact
Attackers with basic user accounts can upload malicious files, compromising site integrity and potentially taking over the entire WordPress installation.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege WordPress user account (subscriber or contributor level).
Key dates
06Disclosure timeline
January 6, 2026
CVE published
April 28, 2026
Record updated