CVE-2026-39589: WordPress Webenvo theme <= 0.0.6 - Arbitrary File Upload vulnerability
Subscriber Arbitrary File Upload in Webenvo <= 0.0.6 versions.
Metrics
- CVSS v3.1
- 9.9
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An arbitrary file upload vulnerability affects the Webenvo WordPress theme (versions 0.0.6 and earlier), developed by A WP Life. The flaw is reachable over the network and requires only a low-privilege authenticated account, meaning any registered subscriber on the site can trigger it. Successful exploitation allows an attacker to upload and execute arbitrary files on the server, enabling full remote code execution with high impact to confidentiality, integrity, and availability. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is released.
HarborGuard Coverage
Detection for CVE-2026-39589 is available across every HarborGuard environment. Container images in customer registries and CI/CD pipelines are matched against this CVE within minutes of ingestion from upstream feeds, including custom-built WordPress images that bundle the Webenvo theme.
AvailableHarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 9.9 (Critical) and weighting it against each environment's compliance policy. Triage routing directs findings to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableBecause no fix version has been published for Webenvo, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the meantime, the CVE remains flagged as an open critical finding in each affected environment.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS.
- AuthenticationRequired
A low-privilege account (subscriber level) is sufficient; no administrative credentials are needed.
- Victim interactionNot required
No interaction from any other user or administrator is needed to complete the attack.
- Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions or special environmental factors must be met.
Blast Radius
- An attacker uploads a web shell or arbitrary executable file to the server, gaining remote code execution under the web server process.
- Full confidentiality impact: the attacker reads any file accessible to the web process, including WordPress configuration files, database credentials, and stored user data.
- Full integrity impact: the attacker modifies or overwrites any file the web process can write, including theme files, plugins, and uploaded content.
- Full availability impact: the attacker crashes or disables the WordPress service, deletes critical files, or exhausts server resources.
How HarborGuard Handles This
Available on HarborGuard: this CVE is actively tracked and flagged at Critical severity (CVSS 9.9) across all customer environments where container images include the Webenvo theme at version 0.0.6 or earlier. Because no upstream fix exists at this time, HarborGuard monitors the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment a fix version is published. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and open a PR against affected workloads without manual intervention. While awaiting an upstream patch, compensating controls worth evaluating include network-policy rules that restrict inbound access to WordPress registration and upload endpoints, Web Application Firewall rules blocking multipart file upload requests from low-privilege sessions, and disabling subscriber-level user registration if it is not required by the application.
- A WP Life / Webenvo≤ 0.0.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H