Cyber Resilience

CVE-2026-24960

Critical

Published: 05 March 2026

Published
05 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0033 24.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-24960 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-24960 is an Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434) in the Charety WordPress theme developed by zozothemes. It enables attackers to upload malicious files. The vulnerability affects all versions of the Charety theme from n/a through those prior to 2.0.2.

An attacker with low privileges, such as an authenticated WordPress user, can exploit this vulnerability remotely with low complexity and no user interaction required. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, with a scope change, as reflected in the CVSS v3.1 base score of 9.9. This could allow arbitrary file uploads leading to severe compromise, such as remote code execution on the targeted WordPress site.

The Patchstack advisory for this vulnerability in the Charety WordPress theme confirms it as an arbitrary file upload issue fixed in version 2.0.2. Security practitioners should urge users to update the Charety theme to version 2.0.2 or later to mitigate the risk.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Charety charety allows Using Malicious Files.This issue affects Charety: from n/a through < 2.0.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Unrestricted arbitrary file upload (CWE-434) in public-facing WordPress theme directly enables T1190 (exploit public-facing app for initial access), T1105 (ingress of malicious files), T1505.003 (web shell deployment for RCE/persistence), and T1059 (command/script execution via uploaded payload).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-26325Shared CWE-434
CVE-2025-54444Shared CWE-434
CVE-2025-66256Shared CWE-434
CVE-2025-1025Shared CWE-434
CVE-2016-15043Shared CWE-434
CVE-2024-13448Shared CWE-434
CVE-2025-13689Shared CWE-434
CVE-2024-13333Shared CWE-434
CVE-2013-10040Shared CWE-434
CVE-2026-32523Shared CWE-434

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents unrestricted uploads of dangerous file types by validating file inputs for type, size, and content in the Charety theme's upload functionality.

prevent

Mitigates the specific vulnerability by requiring timely identification, reporting, and patching of the Charety theme flaw fixed in version 2.0.2.

prevent

Enforces restrictions on file types and sources at upload boundaries to block dangerous files exploitable via the Charety theme vulnerability.

References