CVE-2026-24960
Published: 05 March 2026
Summary
CVE-2026-24960 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-24960 is an Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434) in the Charety WordPress theme developed by zozothemes. It enables attackers to upload malicious files. The vulnerability affects all versions of the Charety theme from n/a through those prior to 2.0.2.
An attacker with low privileges, such as an authenticated WordPress user, can exploit this vulnerability remotely with low complexity and no user interaction required. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, with a scope change, as reflected in the CVSS v3.1 base score of 9.9. This could allow arbitrary file uploads leading to severe compromise, such as remote code execution on the targeted WordPress site.
The Patchstack advisory for this vulnerability in the Charety WordPress theme confirms it as an arbitrary file upload issue fixed in version 2.0.2. Security practitioners should urge users to update the Charety theme to version 2.0.2 or later to mitigate the risk.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9601
Vulnerability details
Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Charety charety allows Using Malicious Files.This issue affects Charety: from n/a through < 2.0.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted arbitrary file upload (CWE-434) in public-facing WordPress theme directly enables T1190 (exploit public-facing app for initial access), T1105 (ingress of malicious files), T1505.003 (web shell deployment for RCE/persistence), and T1059 (command/script execution via uploaded payload).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents unrestricted uploads of dangerous file types by validating file inputs for type, size, and content in the Charety theme's upload functionality.
Mitigates the specific vulnerability by requiring timely identification, reporting, and patching of the Charety theme flaw fixed in version 2.0.2.
Enforces restrictions on file types and sources at upload boundaries to block dangerous files exploitable via the Charety theme vulnerability.