{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27043", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:23:18.876Z", "datePublished": "2026-03-19T14:49:20.612Z", "dateUpdated": "2026-04-07T09:10:37.740Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-07T09:10:37.740Z"}, "title": "WordPress Photography theme < 7.7.6 - Arbitrary File Upload vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "CAPEC-126 Path Traversal"}]}], "affected": [{"vendor": "ThemeGoods", "product": "Photography", "versions": [{"status": "affected", "version": "n/a", "lessThan": "7.7.6", "changes": [{"at": "7.7.6", "status": "unaffected"}], "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in ThemeGoods Photography allows Path Traversal.This issue affects Photography: from n/a before 7.7.6.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Unrestricted Upload of File with Dangerous Type vulnerability in ThemeGoods Photography allows Path Traversal.<p>This issue affects Photography: from n/a before 7.7.6.</p>"}]}], "references": [{"url": "https://patchstack.com/database/wordpress/theme/photography/vulnerability/wordpress-photography-theme-7-7-5-arbitrary-file-upload-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}}], "solutions": [{"lang": "en", "value": "Update the WordPress Photography theme to the latest available version (at least 7.7.6).", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Update the WordPress Photography theme to the latest available version (at least 7.7.6)."}]}], "credits": [{"lang": "en", "value": "Phat RiO - BlueRock | Patchstack Bug Bounty Program", "user": "00000000-0000-4000-9000-000000000000", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T15:07:29.885127Z", "id": "CVE-2026-27043", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T15:09:16.035Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27043", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-19T15:07:29.885127Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T15:07:49.390Z"}}], "cna": {"title": "WordPress Photography theme < 7.7.6 - Arbitrary File Upload vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Phat RiO - BlueRock | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "CAPEC-126 Path Traversal"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ThemeGoods", "product": "Photography", "versions": [{"status": "affected", "changes": [{"at": "7.7.6", "status": "unaffected"}], "version": "n/a", "lessThan": "7.7.6", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update the WordPress Photography theme to the latest available version (at least 7.7.6).", "supportingMedia": [{"type": "text/html", "value": "Update the WordPress Photography theme to the latest available version (at least 7.7.6).", "base64": false}]}], "references": [{"url": "https://patchstack.com/database/wordpress/theme/photography/vulnerability/wordpress-photography-theme-7-7-5-arbitrary-file-upload-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in ThemeGoods Photography allows Path Traversal.This issue affects Photography: from n/a before 7.7.6.", "supportingMedia": [{"type": "text/html", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in ThemeGoods Photography allows Path Traversal.<p>This issue affects Photography: from n/a before 7.7.6.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-07T09:10:37.740Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27043", "state": "PUBLISHED", "dateUpdated": "2026-04-07T09:10:37.740Z", "dateReserved": "2026-02-17T13:23:18.876Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-19T14:49:20.612Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in ThemeGoods Photography allows Path Traversal.This issue affects Photography: from n/a before 7.7.6."}, {"lang": "es", "value": "Una vulnerabilidad de Carga sin Restricciones de Archivo con Tipo Peligroso en ThemeGoods Photography permite el salto de ruta. Este problema afecta a Photography: desde n/a hasta 7.7.5."}], "id": "CVE-2026-27043", "lastModified": "2026-04-07T10:16:03.797", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-03-19T15:16:24.083", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/wordpress/theme/photography/vulnerability/wordpress-photography-theme-7-7-5-arbitrary-file-upload-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,7.7.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Photography", "source": "cna", "vendor": "ThemeGoods"}, "product": "photography", "vendor": "themegoods"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-07T10:50:41.447717+00:00", "value": {"mitigation_remediation": ["Upgrade the Photography theme to version 7.7.6 or later."], "summary": {"action": "Patch", "impact": "Arbitrary File Upload leading to potential remote code execution"}, "threat_synthesis": {"affected_systems": "ThemeGoods Photography WordPress theme versions earlier than 7.7.6 are affected. Site owners using any older release of this theme are exposed to the described risk.", "description_and_impact": "Exploiting the Photography theme\u2019s upload feature, an attacker can upload files of any type without proper validation. This unrestricted file upload coupled with path traversal enables the attacker to place malicious code on the server, which can then be executed, granting compromise of confidentiality, integrity, and availability. The weakness corresponds to the standard file\u2011upload vulnerability enumeration.", "risk_and_exploitability": "The vulnerability receives a CVSS score of 7.2, indicating a high severity classification, and an EPSS score below 1%, suggesting that exploitation is presently uncommon. The issue is not listed in the national Known Exploited Vulnerabilities catalog. The likely attack vector involves the theme\u2019s web\u2011based upload form; the attacker submits a crafted file that bypasses type checks, potentially leveraging path traversal to place it in a location that can be executed by the webserver."}}}}, "created": "2026-03-20T08:56:44.601546+00:00", "updated": "2026-04-08T20:01:28.767568+00:00", "vendors": ["themegoods", "themegoods$PRODUCT$photography", "wordpress", "wordpress$PRODUCT$wordpress"]}