Summary
| Parameter | Value |
|---|---|
| CVE ID | CVE-2026-1555 |
| Alert Source | GitHub Advisory - Critical Vulnerability |
| CVE Publication Year | 2026 |
| Date Published | 2026-04-22 |
| Vendor | WordPress |
| Product | WebStack (theme) |
| CVSS Score | 9.8 (critical) |
| EPSS Score | 0.1% (percentile: 35%) |
| CISA KEV | No |
| Ransomware | Not confirmed |
Vulnerability Description
The WebStack theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the io_img_upload() function in all versions up to, and including, 1.2024. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site’s server which may make remote code execution possible.
Required Actions
Update the WebStack theme to a version higher than 1.2024 immediately, in which the vulnerability is patched. Until the update is applied, consider disabling the theme or restricting access to the upload function via a WAF. Review the uploads directory for unauthorized files (especially .php and .phtml) and verify the integrity of the WordPress installation.
Who Is Affected?
This vulnerability affects the WebStack theme for WordPress in all versions up to and including 1.2024. Check whether your organization uses this theme and update it to the patched version without delay.
Sources
Need help securing your systems? nFlo team offers vulnerability management and 24/7 SOC services. Contact us.
