CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-50002

CVSS 10.0v3.1pub. 2026-01-22upd. 2026-04-27

Unrestricted Upload of File with Dangerous Type vulnerability in Farost Energia energia allows Upload a Web Shell to a Web Server.This issue affects Energia: from n/a through <= 1.1.2.

🤖 AI Analysis
How it works

The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and involves the lack of proper validation of the file type and content on the server side. An attacker can upload an executable file (e.g., a PHP web shell) directly to the server without needing any permissions. Once the file is placed on the server, it can be remotely invoked through a browser or HTTP request, resulting in the execution of malicious code.

Impact

An attacker can gain full control of the server by executing arbitrary system commands (RCE) using an uploaded web shell. Data theft, modification of website content, lateral movement in the infrastructure, and permanent server compromise are possible.

Mitigation & patch

The Energia theme should be immediately removed or disabled until a patched version is released by the vendor. It is recommended to monitor the uploads directory and other writable locations for unknown PHP files. Apply patches available from the vendor according to the references (Patchstack).

Who is affected

The WordPress theme Farost Energia in all versions from n/a to 1.1.2 inclusive.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References