CVE-2026-40750

Vulnerability

Kids Online Store, a WordPress theme by themagnifico52, contains an Unrestricted Upload of File with Dangerous Type vulnerability in versions from n/a through 0.8.9. The theme fails to properly validate file types during upload, allowing an attacker to upload arbitrary files including executable scripts (web shells) to the web server [1].

Exploitation

An unauthenticated attacker with network access to a WordPress site running the vulnerable theme can upload a malicious file (e.g., a PHP web shell) through the theme's file upload functionality. No prior authentication or special privileges are required. The attacker simply submits a crafted file upload request, bypassing content-type or extension checks due to the lack of proper validation [1].

Impact

Successful exploitation allows the attacker to upload and execute a web shell on the server, granting them remote code execution with the web server's privileges. This can lead to full site compromise, including data theft, backdoor installation, and further propagation within the hosting environment. The vulnerability is rated Critical with a CVSS v3 score of 9.9 [1].

Mitigation

The vendor has released a fix; users must update the Kids Online Store theme to a version higher than 0.8.9 immediately. If unable to update, contact your hosting provider or web developer for assistance. The vulnerability is listed as highly likely to be exploited in mass campaigns [1].