Cyber Resilience

CVE-2026-27043

High

Published: 19 March 2026

Published
19 March 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 6.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27043 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-27043 is an Unrestricted Upload of File with Dangerous Type vulnerability in the ThemeGoods Photography WordPress theme that enables path traversal. The issue affects all versions of the Photography theme from n/a through those prior to 7.7.6 and is classified under CWE-434.

With a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), the vulnerability can be exploited over the network with low complexity by an authenticated user possessing high privileges, such as an administrator, without requiring user interaction. Successful exploitation allows attackers to upload files with dangerous types to arbitrary locations via path traversal, resulting in high impacts to confidentiality, integrity, and availability, potentially enabling full system compromise.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Theme/photography/vulnerability/wordpress-photography-theme-7-7-5-arbitrary-file-upload-vulnerability?_s_id=cve) details this as an arbitrary file upload vulnerability specifically in Photography theme version 7.7.5, with mitigation achieved by updating to version 7.7.6 or later.

EU & UK References

Vulnerability details

Unrestricted Upload of File with Dangerous Type vulnerability in ThemeGoods Photography photography allows Path Traversal.This issue affects Photography: from n/a through < 7.7.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Arbitrary file upload with path traversal in public-facing WordPress theme directly enables exploitation of the web application (T1190) and installation of a web shell for execution/persistence (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-46384Shared CWE-434
CVE-2025-13516Shared CWE-434
CVE-2024-13011Shared CWE-434
CVE-2025-8323Shared CWE-434
CVE-2025-21624Shared CWE-434
CVE-2026-35164Shared CWE-434
CVE-2026-2097Shared CWE-434
CVE-2025-12154Shared CWE-434
CVE-2026-42748Shared CWE-434
CVE-2025-32957Shared CWE-434

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation by updating the Photography WordPress theme to version 7.7.6 or later directly eliminates the unrestricted file upload with path traversal vulnerability.

prevent

Information input validation checks uploaded files for dangerous types and blocks path traversal attempts, comprehensively mitigating the core vulnerability.

prevent

Information input restrictions limit file upload interfaces to authorized types and paths only, preventing exploitation of unrestricted dangerous file uploads.

References