CVE-2026-1555

CRITICAL

WebStack <= 1.2024 - Unauthenticated Arbitrary File Upload

Title source: cna

Description

The WebStack theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the io_img_upload() function in all versions up to, and including, 1.2024. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Exploits (1)

nomisec WORKING POC 1 stars

by Nxploited · poc

https://github.com/Nxploited/CVE-2026-1555

View Code ZIP pw:eip

References (3)

https://www.wordfence.com/threat-intel/vulnerabilities/id/b97805de-1b47-4c9f-baae-2e37c1b78570?source=cve

https://github.com/owen0o0/WebStack/blob/master/inc/ajax.php#L5

https://github.com/owen0o0/WebStack/tree/master

View Writeup ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0015

EPSS Percentile 35.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

Owen/WebStack < 1.2024

Published Apr 15, 2026

Tracked Since Apr 15, 2026