How is CVE-2026-22327 exploited?

Network reachability (required): The vulnerable theme endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS. Authentication (required): A low-privilege subscriber-level WordPress account is sufficient; no administrative access is needed, but some form of valid login is required. Victim interaction (not-required): The attacker can upload a malicious file without any action from another user or administrator. Attack complexity (info): The exploit is reliable and requires no special conditions, race timing, or environmental factors to succeed.

What is the impact of CVE-2026-22327?

An attacker uploads and executes a web shell or malicious script, achieving remote code execution on the host running WordPress. All files and data readable by the web server process are exposed, including database credentials, configuration secrets, and stored user data. An attacker can modify, overwrite, or delete theme files, plugins, and content, defacing the site or embedding persistent backdoors. The web server process can be disrupted or the host destabilized, taking the WordPress site offline.

Back to search

CRITICALCVE-2026-22327Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-22327: WordPress Restaurt theme <= 1.0.4 - Arbitrary File Upload vulnerability

Q: What is CVE-2026-22327?

An arbitrary file upload vulnerability exists in the Restaurt WordPress theme (versions 1.0.4 and earlier), allowing a network-accessible attacker with only a subscriber-level account to upload arbitrary files to the server. Subscriber-level accounts are the lowest tier of WordPress authentication, meaning the barrier to exploitation is exceptionally low. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the affected system, including the ability to execute code remotely. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-22327 patched?

Because no fix version has been published upstream for CVE-2026-22327, HarborGuard re-checks the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released. In the interim, customers with auto-remediation enabled are flagged for compensating controls, as described in the recommendation.

Subscriber Arbitrary File Upload in Restaurt <= 1.0.4 versions.

CVSS v3.1: 9.9
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An arbitrary file upload vulnerability exists in the Restaurt WordPress theme (versions 1.0.4 and earlier), allowing a network-accessible attacker with only a subscriber-level account to upload arbitrary files to the server. Subscriber-level accounts are the lowest tier of WordPress authentication, meaning the barrier to exploitation is exceptionally low. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the affected system, including the ability to execute code remotely. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against customer images and pipeline builds, including custom-built WordPress images that bundle the Restaurt theme. Coverage extends to any registry or CI pipeline connected to a customer HarborGuard account.

Available

Triage

HarborGuard is capable of scoring this finding at its published CVSS v3.1 rating of 9.9 (Critical) and weighting it against each customer environment's compliance policy to determine escalation priority. Findings that breach a configured severity threshold are routed to the appropriate team inbox or ticketing integration within that customer organization.

Available

Patch

Because no fix version has been published upstream for CVE-2026-22327, HarborGuard re-checks the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released. In the interim, customers with auto-remediation enabled are flagged for compensating controls, as described in the recommendation.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable theme endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS.
AuthenticationRequired
A low-privilege subscriber-level WordPress account is sufficient; no administrative access is needed, but some form of valid login is required.
Victim interactionNot required
The attacker can upload a malicious file without any action from another user or administrator.
Attack complexityDetail
The exploit is reliable and requires no special conditions, race timing, or environmental factors to succeed.

Blast Radius

An attacker uploads and executes a web shell or malicious script, achieving remote code execution on the host running WordPress.
All files and data readable by the web server process are exposed, including database credentials, configuration secrets, and stored user data.
An attacker can modify, overwrite, or delete theme files, plugins, and content, defacing the site or embedding persistent backdoors.
The web server process can be disrupted or the host destabilized, taking the WordPress site offline.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-22327 as of the publication date, HarborGuard monitors the Patchstack advisory on every ingest cycle and will trigger a patched-image rebuild the moment a fix version is released. For customers with auto-remediation enabled, that rebuild will be followed by an automated regression run and a PR opened against affected workloads. While no fix is available, compensating controls that HarborGuard can help surface and enforce include network-policy isolation to restrict inbound access to the WordPress file upload endpoint, egress filtering to prevent a compromised container from reaching external infrastructure, and disabling or removing the Restaurt theme entirely from images where it is not required. Customers whose compliance policy flags Critical findings for immediate action will see this CVE routed to their configured escalation path without delay.

See how HarborGuard automates this

Affected packages

Zozothemes / Restaurt
≤ 1.0.4

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified