CVE-2025-30996

Name of the Vulnerable Software and Affected Versions Themify Sidepane WordPress Theme versions n/a through 1.9.8 Themify Newsy versions n/a through 1.9.9 Themify Folo versions n/a through 1.9.6 Themify Edmin versions n/a through 2.0.0 Themify Bloggie versions n/a through 2.0.8 Themify Photobox versions n/a through 2.0.1 Themify Wigi versions n/a through 2.0.1 Themify Rezo versions n/a through 1.9.7 Themify Slide versions n/a through 1.7.5

Description The affected software contains an unrestricted file upload issue. This allows for the upload of dangerous file types, such as web shells, potentially granting attackers full server access. The issue stems from a lack of validation of uploaded files, including file types, extensions, and filtering. Exploitation does not require authentication. Reports indicate that attackers have successfully uploaded malicious files, gaining control of numerous sites utilizing the vulnerable themes. The vulnerability provides a pivot point for mass web shell deployment.

Recommendations Themify Sidepane WordPress Theme versions prior to 1.9.8 should be updated. Themify Newsy versions prior to 1.9.9 should be updated. Themify Folo versions prior to 1.9.6 should be updated. Themify Edmin versions prior to 2.0.0 should be updated. Themify Bloggie versions prior to 2.0.8 should be updated. Themify Photobox versions prior to 2.0.1 should be updated. Themify Wigi versions prior to 2.0.1 should be updated. Themify Rezo versions prior to 1.9.7 should be updated. Themify Slide versions prior to 1.7.5 should be updated.