Themes Vulnerabilities

Flozen < 1.5.1 - Unauthenticated Arbitrary File Upload

Description

The flozen-theme theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to 1.5.1 (exclusive). This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Themes

flozen-theme
Fixed in 1.5.1

References

CVE
CVE-2025-49071
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/3f21a356-193e-4eab-a8be-d88315421d03

Miscellaneous

Original Researcher
Phat RiO - BlueRock
Verified
No
WPVDB ID
0c5931fb-90a4-46ed-b38f-2d3378c4b4a7

Timeline

Publicly Published
2025-06-11 (about 11 months ago)
Added
2025-06-17 (about 11 months ago)
Last Updated
2025-06-17 (about 11 months ago)

Other

Published
Title
Published
2025-06-27
Title
File Manager Plugin For Wordpress <= 7.5 - Authenticated (Admin+) Arbitrary File Upload
Published
2014-08-01
Title
Woopra < 1.4.3.2 - Unauthenticated Arbitrary File Upload
Published
2019-05-29
Title
Finale WooCommerce Sale Countdown <= 2.9.0 - Arbitrary File Upload
Published
2025-02-04
Title
Contact Manager < 8.6.5 - Unauthenticated Arbitrary Double File Extension Upload
Published
2021-06-28
Title
ProfilePress 3.0 - 3.1.3 - Arbitrary File Upload in File Uploader Component