How is CVE-2026-56059 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP/HTTPS. Authentication (required): A low-privilege account (subscriber level) is sufficient; no administrative credentials are needed, but the attacker must have at least one valid registered-user account on the target site. Victim interaction (not-required): No victim action is needed; the attacker submits the malicious file upload request directly without relying on social engineering or user clicks. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and imposes no race-condition, memory-layout, or other environmental prerequisites.

What is the impact of CVE-2026-56059?

Attacker uploads and executes a web shell or arbitrary PHP file, gaining remote code execution on the underlying server. Full contents of the WordPress database (user credentials, customer records, booking data) become readable and exfiltrable. Attacker can modify or delete any files accessible to the web server process, including theme files, plugins, and uploaded media. The scope extends beyond the WordPress application itself: other services and data on the same host or container are reachable from the attacker-controlled process.

Back to search

CRITICALCVE-2026-56059Published 2026-06-26Modified 2026-06-26CNA Patchstack

CVE-2026-56059: WordPress Travel Booking theme <= 2.2.5 - Arbitrary File Upload vulnerability

Q: What is CVE-2026-56059?

An arbitrary file upload vulnerability exists in the PhysCode Travel Booking WordPress theme, versions 2.2.5 and earlier. The flaw is reachable over the network and requires only a low-privilege account (subscriber level) with no victim interaction needed, making it trivially exploitable by any registered user. Successful exploitation allows an attacker to upload and execute arbitrary code on the server, giving full control over confidentiality, integrity, and availability with scope extending beyond the theme itself. No fix version has been published; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

Q: Is CVE-2026-56059 patched?

Because no upstream fix version has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment PhysCode ships a remediated release. In the interim, customers can apply compensating controls through HarborGuard's policy engine to flag or block deployment of images containing the affected theme version.

Subscriber Arbitrary File Upload in Travel Booking <= 2.2.5 versions.

CVSS v3.1: 9.9
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An arbitrary file upload vulnerability exists in the PhysCode Travel Booking WordPress theme, versions 2.2.5 and earlier. The flaw is reachable over the network and requires only a low-privilege account (subscriber level) with no victim interaction needed, making it trivially exploitable by any registered user. Successful exploitation allows an attacker to upload and execute arbitrary code on the server, giving full control over confidentiality, integrity, and availability with scope extending beyond the theme itself. No fix version has been published; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the Travel Booking theme. Any image containing the affected theme version is flagged immediately.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 9.9 Critical and weighting it against each customer environment's compliance policy to surface appropriate urgency. Triage routing routes the finding to the right team inbox within each customer org based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment PhysCode ships a remediated release. In the interim, customers can apply compensating controls through HarborGuard's policy engine to flag or block deployment of images containing the affected theme version.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP/HTTPS.
AuthenticationRequired
A low-privilege account (subscriber level) is sufficient; no administrative credentials are needed, but the attacker must have at least one valid registered-user account on the target site.
Victim interactionNot required
No victim action is needed; the attacker submits the malicious file upload request directly without relying on social engineering or user clicks.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no race-condition, memory-layout, or other environmental prerequisites.

Blast Radius

Attacker uploads and executes a web shell or arbitrary PHP file, gaining remote code execution on the underlying server.
Full contents of the WordPress database (user credentials, customer records, booking data) become readable and exfiltrable.
Attacker can modify or delete any files accessible to the web server process, including theme files, plugins, and uploaded media.
The scope extends beyond the WordPress application itself: other services and data on the same host or container are reachable from the attacker-controlled process.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-56059, HarborGuard continuously monitors the Patchstack advisory and will trigger a patched-image rebuild the moment PhysCode publishes a fix version. Until then, customers are encouraged to use HarborGuard's policy engine to enforce a block or warn gate on any pipeline deploying images that include Travel Booking theme versions 2.2.5 or earlier. Network-policy isolation (restricting inbound HTTP to trusted sources) and disabling open user registration on affected WordPress instances are recommended as compensating controls. For customers who opt into auto-remediation, a rebuild, regression test run, and PR against affected workloads will be initiated automatically once a fix version becomes available, with a typical median time from CVE publication to merged patch PR of around 90 minutes for Critical-severity issues in environments with auto-remediation enabled.

See how HarborGuard automates this

Affected packages

PhysCode / Travel Booking
≤ 2.2.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified