CVE-2026-27043
Published: 19 March 2026
Summary
CVE-2026-27043 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-27043 is an Unrestricted Upload of File with Dangerous Type vulnerability in the ThemeGoods Photography WordPress theme that enables path traversal. The issue affects all versions of the Photography theme from n/a through those prior to 7.7.6 and is classified under CWE-434.
With a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), the vulnerability can be exploited over the network with low complexity by an authenticated user possessing high privileges, such as an administrator, without requiring user interaction. Successful exploitation allows attackers to upload files with dangerous types to arbitrary locations via path traversal, resulting in high impacts to confidentiality, integrity, and availability, potentially enabling full system compromise.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Theme/photography/vulnerability/wordpress-photography-theme-7-7-5-arbitrary-file-upload-vulnerability?_s_id=cve) details this as an arbitrary file upload vulnerability specifically in Photography theme version 7.7.5, with mitigation achieved by updating to version 7.7.6 or later.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-13107
Vulnerability details
Unrestricted Upload of File with Dangerous Type vulnerability in ThemeGoods Photography photography allows Path Traversal.This issue affects Photography: from n/a through < 7.7.6.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload with path traversal in public-facing WordPress theme directly enables exploitation of the web application (T1190) and installation of a web shell for execution/persistence (T1505.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation by updating the Photography WordPress theme to version 7.7.6 or later directly eliminates the unrestricted file upload with path traversal vulnerability.
Information input validation checks uploaded files for dangerous types and blocks path traversal attempts, comprehensively mitigating the core vulnerability.
Information input restrictions limit file upload interfaces to authorized types and paths only, preventing exploitation of unrestricted dangerous file uploads.