CVE-2026-27419: WordPress Zegen theme <= 1.1.9 - Arbitrary File Upload vulnerability
Subscriber Arbitrary File Upload in Zegen <= 1.1.9 versions.
Metrics
- CVSS v3.1
- 9.9
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An arbitrary file upload vulnerability affects the Zegen WordPress theme versions 1.1.9 and earlier. The flaw is reachable over the network and requires only a low-privilege subscriber-level account, meaning any registered user on an affected WordPress site can exploit it. Successful exploitation allows an attacker to upload and execute arbitrary files on the server, resulting in full remote code execution, complete data access, and the ability to disrupt or take over the affected environment. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.
HarborGuard Coverage
Detection capability for CVE-2026-27419 is available across every HarborGuard environment; the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against customer images and pipeline builds, including custom WordPress-based images. Coverage extends to any image that bundles the Zegen theme at a vulnerable version.
AvailableHarborGuard is capable of scoring this finding at CVSS 9.9 Critical and weighting it against each customer organization's compliance policy to determine urgency. Triage output is routed to the appropriate team inbox within each customer org based on configured ownership rules.
AvailableBecause no upstream fix version has been published for CVE-2026-27419, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment Zozothemes ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS.
- AuthenticationRequired
A low-privilege subscriber-level account is sufficient; no administrative or elevated role is needed.
- Victim interactionNot required
No action from any other user or administrator is needed to complete the attack.
- Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions or special environmental factors are required.
Blast Radius
- An attacker uploads a malicious file (such as a PHP web shell) and achieves remote code execution on the host running WordPress.
- With code execution, the attacker reads all data stored in the WordPress database, including user credentials, session tokens, and customer records.
- The attacker can modify or delete any files and database rows accessible to the web server process.
- The attacker can crash or disable the WordPress service entirely, causing a full outage of the affected site.
How HarborGuard Handles This
Available on HarborGuard: detection for this Critical-severity file upload vulnerability is active across the platform and matches any image bundling Zegen theme version 1.1.9 or earlier, including internally built WordPress images. Because Zozothemes has not yet published a patched release, HarborGuard monitors the advisory on every ingest cycle and will surface the fix the moment it becomes available upstream. In the interim, compensating controls are worth considering: network-policy rules can restrict inbound access to WordPress upload endpoints, egress filtering can limit what the web server process is permitted to reach, and disabling subscriber self-registration removes the authentication prerequisite for this exploit entirely. For customers with auto-remediation enabled, a rebuilt image, regression test run, and a PR opened against affected workloads will be triggered automatically once a fix version is published upstream.
- Zozothemes / Zegen≤ 1.1.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H