HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-27419Published Modified CNA Patchstack

CVE-2026-27419: WordPress Zegen theme <= 1.1.9 - Arbitrary File Upload vulnerability

Subscriber Arbitrary File Upload in Zegen <= 1.1.9 versions.

Metrics

CVSS v3.1
9.9
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An arbitrary file upload vulnerability affects the Zegen WordPress theme versions 1.1.9 and earlier. The flaw is reachable over the network and requires only a low-privilege subscriber-level account, meaning any registered user on an affected WordPress site can exploit it. Successful exploitation allows an attacker to upload and execute arbitrary files on the server, resulting in full remote code execution, complete data access, and the ability to disrupt or take over the affected environment. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-27419 is available across every HarborGuard environment; the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against customer images and pipeline builds, including custom WordPress-based images. Coverage extends to any image that bundles the Zegen theme at a vulnerable version.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 9.9 Critical and weighting it against each customer organization's compliance policy to determine urgency. Triage output is routed to the appropriate team inbox within each customer org based on configured ownership rules.

Available
Patch

Because no upstream fix version has been published for CVE-2026-27419, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment Zozothemes ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS.

  • AuthenticationRequired

    A low-privilege subscriber-level account is sufficient; no administrative or elevated role is needed.

  • Victim interactionNot required

    No action from any other user or administrator is needed to complete the attack.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; no race conditions or special environmental factors are required.

Blast Radius

  • An attacker uploads a malicious file (such as a PHP web shell) and achieves remote code execution on the host running WordPress.
  • With code execution, the attacker reads all data stored in the WordPress database, including user credentials, session tokens, and customer records.
  • The attacker can modify or delete any files and database rows accessible to the web server process.
  • The attacker can crash or disable the WordPress service entirely, causing a full outage of the affected site.

How HarborGuard Handles This

Available on HarborGuard: detection for this Critical-severity file upload vulnerability is active across the platform and matches any image bundling Zegen theme version 1.1.9 or earlier, including internally built WordPress images. Because Zozothemes has not yet published a patched release, HarborGuard monitors the advisory on every ingest cycle and will surface the fix the moment it becomes available upstream. In the interim, compensating controls are worth considering: network-policy rules can restrict inbound access to WordPress upload endpoints, egress filtering can limit what the web server process is permitted to reach, and disabling subscriber self-registration removes the authentication prerequisite for this exploit entirely. For customers with auto-remediation enabled, a rebuilt image, regression test run, and a PR opened against affected workloads will be triggered automatically once a fix version is published upstream.

See how HarborGuard automates this
Affected packages
  • Zozothemes / Zegen
    ≤ 1.1.9
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References