Unrestricted Upload of File with Dangerous Type vulnerability in Farost Energia energia allows Upload a Web Shell to a Web Server.This issue affects Energia: from n/a through <= 1.1.2.
The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and involves the lack of proper validation of the file type and content on the server side. An attacker can upload an executable file (e.g., a PHP web shell) directly to the server without needing any permissions. Once the file is placed on the server, it can be remotely invoked through a browser or HTTP request, resulting in the execution of malicious code.
An attacker can gain full control of the server by executing arbitrary system commands (RCE) using an uploaded web shell. Data theft, modification of website content, lateral movement in the infrastructure, and permanent server compromise are possible.
The Energia theme should be immediately removed or disabled until a patched version is released by the vendor. It is recommended to monitor the uploads directory and other writable locations for unknown PHP files. Apply patches available from the vendor according to the references (Patchstack).
The WordPress theme Farost Energia in all versions from n/a to 1.1.2 inclusive.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H