{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-67924", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T09:59:49.436Z", "datePublished": "2026-01-08T09:17:47.419Z", "dateUpdated": "2026-04-28T16:14:23.679Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "corpkit", "product": "Corpkit", "vendor": "zozothemes", "versions": [{"changes": [{"at": "2.0.1", "status": "unaffected"}], "lessThanOrEqual": "2.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bonds | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:22:33.810Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Corpkit corpkit allows Upload a Web Shell to a Web Server.<p>This issue affects Corpkit: from n/a through <= 2.0.</p>"}], "value": "Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Corpkit corpkit allows Upload a Web Shell to a Web Server.This issue affects Corpkit: from n/a through <= 2.0."}], "impacts": [{"capecId": "CAPEC-650", "descriptions": [{"lang": "en", "value": "Upload a Web Shell to a Web Server"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:23.679Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/corpkit/vulnerability/wordpress-corpkit-theme-2-0-arbitrary-file-upload-vulnerability?_s_id=cve"}], "title": "WordPress Corpkit theme <= 2.0 - Arbitrary File Upload vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T18:03:17.080803Z", "id": "CVE-2025-67924", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T18:03:21.125Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-67924", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-27T18:03:17.080803Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T14:55:00.350Z"}}], "cna": {"title": "WordPress Corpkit theme <= 2.0 - Arbitrary File Upload vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Bonds | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-650", "descriptions": [{"lang": "en", "value": "Upload a Web Shell to a Web Server"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "zozothemes", "product": "Corpkit", "versions": [{"status": "affected", "changes": [{"at": "2.0.1", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.0"}], "packageName": "corpkit", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:22:33.810Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/corpkit/vulnerability/wordpress-corpkit-theme-2-0-arbitrary-file-upload-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Corpkit corpkit allows Upload a Web Shell to a Web Server.This issue affects Corpkit: from n/a through <= 2.0.", "supportingMedia": [{"type": "text/html", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Corpkit corpkit allows Upload a Web Shell to a Web Server.<p>This issue affects Corpkit: from n/a through <= 2.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:13:54.531Z"}}}, "cveMetadata": {"cveId": "CVE-2025-67924", "state": "PUBLISHED", "dateUpdated": "2026-04-27T18:03:21.125Z", "dateReserved": "2025-12-15T09:59:49.436Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-08T09:17:47.419Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Corpkit corpkit allows Upload a Web Shell to a Web Server.This issue affects Corpkit: from n/a through <= 2.0."}], "id": "CVE-2025-67924", "lastModified": "2026-04-27T18:16:49.467", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-08T10:15:51.347", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/corpkit/vulnerability/wordpress-corpkit-theme-2-0-arbitrary-file-upload-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T18:18:14.069322+00:00", "value": {"mitigation_remediation": ["Upgrade the Corpkit theme to a version newer than 2.0 as soon as an update is available.", "If no update exists, remove or replace the vulnerable theme with a secure alternative and ensure that file uploads are restricted or filtered against executable file types.", "Scan the site for any uploaded web shells or other malicious files and delete them; adjust file permissions so that uploaded content cannot be executed by the web server."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via Arbitrary File Upload"}, "threat_synthesis": {"affected_systems": "Any installation of zozothemes Corpkit theme version 2.0 or earlier is affected. All users running the theme up to and including version 2.0 are vulnerable.", "description_and_impact": "This vulnerability is an Unrestricted Upload of File with Dangerous Type flaw in the zozothemes Corpkit WordPress theme. An attacker can upload a web shell to the server by submitting a malicious file through the theme\u2019s upload interface. Once uploaded, the web shell can be executed, giving the attacker the ability to run arbitrary code and gain full control over the compromised web server.", "risk_and_exploitability": "The CVSS score of 9.9 indicates a critical vulnerability. The EPSS score is below 1%, which suggests that exploitation is currently low but still possible. The theme is not listed in CISA\u2019s KEV catalog. Based on the description, the likely attack vector is a remote attacker sending a crafted HTTP request that exploits the theme\u2019s file upload functionality, enabling the upload and execution of arbitrary files on the web server."}}}}, "created": "2026-01-09T13:25:24.761923+00:00", "updated": "2026-04-28T18:30:37.322163+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}