Themify Ultra < 7.3.6 – Authenticated (Subscriber+) Arbitrary File Upload | CVE 2023-46149 | Theme Vulnerabilities

Description

The themify-ultra theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in during a file upload in all versions up to, and including, 7.3.3. This makes it possible for authenticated attackers with subscriber access or higher to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Themes

Fixed in 7.3.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ed5251e7-64d2-4210-9864-144952a49327

Miscellaneous

Original Researcher

Rafie Muhammad

Verified

No

WPVDB ID

5ce5ccb1-1a65-464e-b13a-f7e2b6a6e224

Timeline

Publicly Published

2023-10-17 (about 2 years ago)

Added

2023-11-23 (about 2 years ago)

Last Updated

2023-11-28 (about 2 years ago)

Other

Published

Title

Published

2025-09-16

Title

StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More < 1.5.1 - Authenticated (Subscriber+) Arbitrary File Upload

Published

2023-09-19

Title

Form-Maker < 1.15.20 - Unauthenticated Arbitrary File Upload

Published

2024-08-16

Title

Metform Elementor Contact Form Builder < 3.3.0 - Unauthenticated Double-Extension Arbitrary File Upload

Published

2016-08-01

Title

Estatik < 2.3.1 - Arbitrary File Upload

Published

2025-04-23

Title

PowerPress Podcasting plugin by Blubrry < 11.12.6 - Authenticated (Contributor+) Stored Cross-Site Scripting