{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0831", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-09T20:31:20.483Z", "datePublished": "2026-01-10T09:22:18.126Z", "dateUpdated": "2026-04-08T17:01:43.379Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:01:43.379Z"}, "affected": [{"vendor": "wpdevteam", "product": "Templately \u2013 Elementor & Gutenberg Template Library: 6500+ Free & Pro Ready Templates And Cloud!", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.4.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Templately plugin for WordPress is vulnerable to Arbitrary File Write in all versions up to, and including, 3.4.8. This is due to inadequate input validation in the `save_template_to_file()` function where user-controlled parameters like `session_id`, `content_id`, and `ai_page_ids` are used to construct file paths without proper sanitization. This makes it possible for unauthenticated attackers to write arbitrary `.ai.json` files to locations within the uploads directory."}], "title": "Templately <= 3.4.8 - Unauthenticated Limited Arbitrary JSON File Write", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/778242f4-5dfa-4d72-a032-8b5521c5b8ce?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/templately/tags/3.4.5/includes/Core/Importer/Utils/AIUtils.php#L414"}, {"url": "https://plugins.trac.wordpress.org/browser/templately/tags/3.4.5/includes/API/AIContent.php#L38"}, {"url": "https://plugins.trac.wordpress.org/changeset/3426051/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-863 Incorrect Authorization", "cweId": "CWE-863", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "M Indra Purnama"}], "timeline": [{"time": "2025-12-19T23:25:34.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-09T20:32:57.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-12T13:07:30.520778Z", "id": "CVE-2026-0831", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T13:09:57.883Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0831", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-12T13:07:30.520778Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T13:09:44.373Z"}}], "cna": {"title": "Templately <= 3.4.8 - Unauthenticated Limited Arbitrary JSON File Write", "credits": [{"lang": "en", "type": "finder", "value": "M Indra Purnama"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wpdevteam", "product": "Templately \u2013 Elementor & Gutenberg Template Library: 6500+ Free & Pro Ready Templates And Cloud!", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.4.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-19T23:25:34.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-09T20:32:57.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/778242f4-5dfa-4d72-a032-8b5521c5b8ce?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/templately/tags/3.4.5/includes/Core/Importer/Utils/AIUtils.php#L414"}, {"url": "https://plugins.trac.wordpress.org/browser/templately/tags/3.4.5/includes/API/AIContent.php#L38"}, {"url": "https://plugins.trac.wordpress.org/changeset/3426051/"}], "descriptions": [{"lang": "en", "value": "The Templately plugin for WordPress is vulnerable to Arbitrary File Write in all versions up to, and including, 3.4.8. This is due to inadequate input validation in the `save_template_to_file()` function where user-controlled parameters like `session_id`, `content_id`, and `ai_page_ids` are used to construct file paths without proper sanitization. This makes it possible for unauthenticated attackers to write arbitrary `.ai.json` files to locations within the uploads directory."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-10T09:22:18.126Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0831", "state": "PUBLISHED", "dateUpdated": "2026-01-12T13:09:57.883Z", "dateReserved": "2026-01-09T20:31:20.483Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-10T09:22:18.126Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Templately plugin for WordPress is vulnerable to Arbitrary File Write in all versions up to, and including, 3.4.8. This is due to inadequate input validation in the `save_template_to_file()` function where user-controlled parameters like `session_id`, `content_id`, and `ai_page_ids` are used to construct file paths without proper sanitization. This makes it possible for unauthenticated attackers to write arbitrary `.ai.json` files to locations within the uploads directory."}, {"lang": "es", "value": "El plugin Templately para WordPress es vulnerable a la escritura arbitraria de archivos en todas las versiones hasta la 3.4.8, inclusive. Esto se debe a una validaci\u00f3n de entrada inadecuada en la funci\u00f3n 'save_template_to_file()' donde par\u00e1metros controlados por el usuario como 'session_id', 'content_id' y 'ai_page_ids' se utilizan para construir rutas de archivo sin una sanitizaci\u00f3n adecuada. Esto hace posible que atacantes no autenticados escriban archivos '.ai.json' arbitrarios en ubicaciones dentro del directorio de cargas."}], "id": "CVE-2026-0831", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-10T10:15:50.960", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/templately/tags/3.4.5/includes/API/AIContent.php#L38"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/templately/tags/3.4.5/includes/Core/Importer/Utils/AIUtils.php#L414"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3426051/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/778242f4-5dfa-4d72-a032-8b5521c5b8ce?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T19:13:42.534691+00:00", "value": {"mitigation_remediation": ["Upgrade the Templately plugin to version 3.4.9 or later, which removes the unsanitized file path construction.", "If an immediate upgrade is not possible, disable or delete the Templately plugin entirely to eliminate the vulnerable code path.", "Implement monitoring of the uploads directory for unexpected .ai.json file creation and review the plugin\u2019s file write operations regularly."], "summary": {"action": "Patch Now", "impact": "Unauthenticated Arbitrary JSON File Write"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed wpdevteam:Templately \u2013 Elementor & Gutenberg Template Library in any version up to and including 3.4.8 are affected. The issue resides in the plugin\u2019s core code and can affect any WordPress installation that allows unauthenticated access to the plugin\u2019s save endpoint.", "description_and_impact": "The Templately WordPress plugin is vulnerable because the function that saves a template to a file does not sanitize user-supplied parameters such as session_id, content_id, and ai_page_ids before building a file path. This oversight allows an unauthenticated attacker to cause the plugin to write arbitrary .ai.json files under the uploads directory. The immediate consequence is the creation of files the attacker controls, which could be leveraged to alter plugin behavior, insert malicious configuration data, or trigger script execution if the JSON is subsequently processed by the application.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity, and the EPSS score of less than 1% suggests that active exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog, further indicating a lower current threat. The likely attack vector is a remote HTTP request to the plugin\u2019s endpoint, which does not require authentication. The potential impact is the unauthorized creation of files in the uploads directory, giving the attacker the ability to influence the plugin\u2019s function or store malicious data. Overall, while the risk is moderate, the low exploitation probability and lack of authentication requirement heighten awareness but do not necessitate emergency containment measures beyond patching."}}}}, "created": "2026-01-12T14:36:25.398304+00:00", "updated": "2026-04-15T19:15:12.083911+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpdevteam", "wpdevteam$PRODUCT$templately"]}