CVE-2025-30996

CRITICAL

Themify WordPress Themes - Arbitrary File Upload

Title source: llm

Description

Unrestricted Upload of File with Dangerous Type vulnerability in Themify Themify Sidepane WordPress Theme, Themify Themify Newsy, Themify Themify Folo, Themify Themify Edmin, Themify Bloggie, Themify Photobox, Themify Wigi, Themify Rezo, Themify Slide allows Upload a Web Shell to a Web Server.This issue affects Themify Sidepane WordPress Theme: from n/a through 1.9.8; Themify Newsy: from n/a through 1.9.9; Themify Folo: from n/a through 1.9.6; Themify Edmin: from n/a through 2.0.0; Bloggie: from n/a through 2.0.8; Photobox: from n/a through 2.0.1; Wigi: from n/a through 2.0.1; Rezo: from n/a through 1.9.7; Slide: from n/a through 1.7.5.

References (10)

Core 10

Core References

Third Party Advisory vdb-entry

https://patchstack.com/database/wordpress/theme/sidepane/vulnerability/wordpress-themify-sidepane-wordpress-theme-1-9-8-arbitrary-file-upload-vulnerability?_s_id=cve

Third Party Advisory vdb-entry

https://patchstack.com/database/wordpress/theme/newsy/vulnerability/wordpress-themify-newsy-1-9-9-arbitrary-file-upload-vulnerability?_s_id=cve

Third Party Advisory vdb-entry

https://patchstack.com/database/wordpress/theme/folo/vulnerability/wordpress-themify-folo-1-9-6-arbitrary-file-upload-vulnerability?_s_id=cve

Third Party Advisory vdb-entry

https://patchstack.com/database/wordpress/theme/edmin/vulnerability/wordpress-themify-edmin-2-0-0-arbitrary-file-upload-vulnerability?_s_id=cve

Third Party Advisory vdb-entry

https://patchstack.com/database/wordpress/theme/bloggie/vulnerability/wordpress-bloggie-2-0-8-arbitrary-file-upload-vulnerability?_s_id=cve

Third Party Advisory vdb-entry

https://patchstack.com/database/wordpress/theme/photobox/vulnerability/wordpress-photobox-2-0-1-arbitrary-file-upload-vulnerability?_s_id=cve

Third Party Advisory vdb-entry

https://patchstack.com/database/wordpress/theme/wigi/vulnerability/wordpress-wigi-2-0-1-arbitrary-file-upload-vulnerability?_s_id=cve

Third Party Advisory vdb-entry

https://patchstack.com/database/wordpress/theme/rezo/vulnerability/wordpress-rezo-1-9-7-arbitrary-file-upload-vulnerability?_s_id=cve

Third Party Advisory vdb-entry

https://patchstack.com/database/wordpress/theme/slide/vulnerability/wordpress-slide-1-7-5-arbitrary-file-upload-vulnerability?_s_id=cve

Vdb Entry vdb-entry

https://patchstack.com/database/Wordpress/Theme/newsy/vulnerability/wordpress-themify-newsy-1-9-9-arbitrary-file-upload-vulnerability?_s_id=cve

Scores

CVSS v3 9.9

EPSS 0.0044

EPSS Percentile 34.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-434

Status published

Products (9)

Themify/Bloggie < 2.0.8

Themify/Photobox < 2.0.1

Themify/Rezo < 1.9.7

Themify/Slide < 1.7.5

Themify/Themify Edmin < 2.0.0

Themify/Themify Folo < 1.9.6

Themify/Themify Newsy < 1.9.9

Themify/Themify Sidepane WordPress Theme < 1.9.8

Themify/Wigi < 2.0.1

Published Jan 06, 2026

Tracked Since Feb 18, 2026