Arbitrary File Upload Vulnerability in WebStack Theme for WordPress
CVE-2026-1555

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Webstack
Vendor: CVE Published:; 15 April 2026

What is CVE-2026-1555?

The WebStack theme for WordPress contains a vulnerability that permits arbitrary file uploads due to insufficient file type validation in the io_img_upload() function. Any attacker, even those without authentication, can exploit this weakness to upload malicious files to the server hosting the affected site. This can lead to severe security risks, including remote code execution, if targeted files are executed by the server.

Affected Version(s)

WebStack 0 <= 1.2024

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://github.com/owen0o0/WebStack/blob/master/inc/ajax....

https://github.com/owen0o0/WebStack/tree/master

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Jan 28, 2026

Credit

Chiao-Lin Yu

CVE-2026-1555 Data

JSON