CVE-2026-57658: WordPress TemplateSpare plugin <= 4.2.0 - Arbitrary File Upload vulnerability
Administrator Arbitrary File Upload in TemplateSpare <= 4.2.0 versions.
Metrics
- CVSS v3.1
- 9.1
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An arbitrary file upload vulnerability exists in the TemplateSpare WordPress plugin at version 4.2.0 and earlier. An authenticated attacker with administrator-level access can reach the vulnerable endpoint over the network and upload arbitrary files to the server, including executable code. Successful exploitation gives the attacker the ability to read, modify, or destroy data on the host and execute arbitrary code in the scope of the web server process. No patched version has been published; HarborGuard is tracking the upstream advisory for patch availability.
HarborGuard Coverage
Detection for this CVE is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against customer images in connected registries and CI/CD pipelines. Coverage extends to custom-built WordPress images that bundle the TemplateSpare plugin.
AvailableTriage is available with a CVSS v3.1 score of 9.1 (Critical) applied automatically, weighted further by each customer org's compliance policy to reflect risk tolerance and regulatory context. Findings are routed to the appropriate team inbox within the customer org based on image ownership and policy configuration.
AvailableBecause no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads as soon as a fix version becomes available.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP/HTTPS.
- AuthenticationRequired
An administrator-level account is required; a low-privilege account is not sufficient to trigger the upload endpoint.
- Victim interactionNot required
No victim interaction is needed; the attacker can carry out the upload entirely without involving another user.
- Attack complexityDetail
Exploit complexity is low, meaning no race conditions or special environmental factors are required and the attack is reliably reproducible.
Blast Radius
- The attacker can upload and execute arbitrary server-side code, achieving remote code execution in the context of the web server process.
- Confidential data stored by the WordPress installation, including database credentials, session tokens, and user records, is fully readable by the attacker.
- The attacker can modify or delete persisted content, configuration files, and database rows, corrupting site integrity.
- The attacker can crash or render unavailable the web application and any services sharing the same host resources.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-57658 is active for any customer image that bundles TemplateSpare at version 4.2.0 or earlier, with findings surfaced at Critical severity. Because no upstream patch exists, HarborGuard monitors the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available immediately upon upstream release. For customers with auto-remediation enabled, that release will trigger an automatic rebuild, regression-test run, and a PR opened against affected workloads. In the meantime, compensating controls worth considering include network-policy rules that restrict wp-admin access to trusted IP ranges, web application firewall rules blocking unauthenticated or unexpected file-upload requests to the plugin's endpoints, and review of administrator account grants to reduce the number of principals who could be used to satisfy the privilege requirement.
- Templatespare / TemplateSpare≤ 4.2.0
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H