CVE-2025-49071

CRITICAL

Flozen < 1.5.1 - Unauthenticated Arbitrary File Upload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-49071. PoCs published by xShadow-Here.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2025-49071, an unauthenticated arbitrary file upload vulnerability in the Flozen WordPress theme. The exploit automates the process of checking for vulnerable versions, uploading a malicious ZIP file, and verifying shell access.

Description

Unrestricted Upload of File with Dangerous Type vulnerability in NasaTheme Flozen flozen-theme allows Upload a Web Shell to a Web Server.This issue affects Flozen: from n/a through < 1.5.1.

Exploits (1)

nomisec WORKING POC
by xShadow-Here · poc
https://github.com/xShadow-Here/CVE-2025-49071

This repository contains a functional exploit for CVE-2025-49071, an unauthenticated arbitrary file upload vulnerability in the Flozen WordPress theme. The exploit automates the process of checking for vulnerable versions, uploading a malicious ZIP file, and verifying shell access.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Flozen WordPress Theme < 1.5.1
No auth needed
Prerequisites: Target must be running Flozen WordPress Theme < 1.5.1 · Attacker must have network access to the target · Malicious ZIP file (shadow.zip) must be present in the same directory
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 10.0
EPSS 0.0045
EPSS Percentile 35.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-434
Status published
Products (1)
NasaTheme/Flozen < 1.5.1
Published Jun 17, 2025
Tracked Since Feb 18, 2026