EIP-2026-114313

PRE-CVE

WordPress Theme Clockstone (and other CMSMasters Themes) - Arbitrary File Upload

Title source: legacy
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-114313. PoCs published by DigiP.

AI-analyzed exploit summary The exploit demonstrates an unauthenticated file upload vulnerability in Clockstone and other CMSMasters WordPress themes (version 1.2 and lower). The vulnerable PHP script allows arbitrary file uploads via a direct POST request to `upload.php`, bypassing authentication and enabling remote code execution (RCE) by uploading malicious files.

Description

WordPress Theme Clockstone (and other CMSMasters Themes) - Arbitrary File Upload

Exploits (1)

exploitdb WORKING POC VERIFIED
by DigiP · textwebappsphp
https://www.exploit-db.com/exploits/23494

The exploit demonstrates an unauthenticated file upload vulnerability in Clockstone and other CMSMasters WordPress themes (version 1.2 and lower). The vulnerable PHP script allows arbitrary file uploads via a direct POST request to `upload.php`, bypassing authentication and enabling remote code execution (RCE) by uploading malicious files.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Clockstone WordPress Theme (and other CMSMasters themes) v1.2 and lower
No auth needed
Prerequisites: Access to the vulnerable `upload.php` endpoint · Ability to send HTTP POST requests with file uploads
mistral-large-3 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve
Tracked Since Feb 18, 2026