Cyber Resilience

CVE-2025-62056

Critical

Published: 22 January 2026

Published
22 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0048 37.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-62056 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-62056 is an Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434) in the News Event WordPress theme developed by BlazeThemes. The issue affects the News Event theme from unknown initial versions through version 1.0.1.

The vulnerability has a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating it is exploitable over the network with low attack complexity by an authenticated user with low privileges and no user interaction required. Successful exploitation allows the attacker to achieve high impacts on confidentiality, integrity, and availability, likely enabling arbitrary file uploads that could lead to remote code execution or full server compromise due to the changed scope.

Mitigation details are available in advisories such as the Patchstack database entry at https://patchstack.com/database/Wordpress/Theme/news-event/vulnerability/wordpress-news-event-theme-1-0-1-arbitrary-file-upload-vulnerability?_s_id=cve. The vulnerability was published on 2026-01-22T17:15:58.757.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes News Event news-event.This issue affects News Event: from n/a through <= 1.0.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unrestricted arbitrary file upload (CWE-434) in a public-facing WordPress theme directly enables web shell deployment and remote code execution on the server.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-22654Shared CWE-434
CVE-2025-11948Shared CWE-434
CVE-2025-67260Shared CWE-434
CVE-2025-28915Shared CWE-434
CVE-2023-53956Shared CWE-434
CVE-2025-6058Shared CWE-434
CVE-2021-47819Shared CWE-434
CVE-2025-7852Shared CWE-434
CVE-2026-4883Shared CWE-434
CVE-2019-25630Shared CWE-434

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely remediation and patching of the vulnerable News Event WordPress theme to versions beyond 1.0.1.

prevent

Validates the content of file uploads to the WordPress theme, preventing acceptance of dangerous file types that could lead to remote code execution.

prevent

Restricts file uploads in the News Event theme to only permitted types and characteristics, blocking unrestricted uploads of dangerous files by low-privilege users.

References