A critical arbitrary file upload flaw in the WordPress Travelscape theme (v1.0.3) lets unauthenticated attackers drop malicious files and achieve remote code execution on affected sites.
What Is It
CVE-2024-58349 is an arbitrary file upload vulnerability (CWE-434) in the WordPress Travelscape theme version 1.0.3. The theme's upload functionality fails to perform sufficient validation on submitted files, allowing an unauthenticated remote attacker to write arbitrary files into the theme directory. Once a malicious file, such as a PHP web shell, is placed on disk, the attacker can request it and trigger code execution in the context of the WordPress installation.
The flaw carries a CVSS 3.1 base score of 9.8 (Critical) and a CVSS 4.0 base score of 9.3 (Critical). The attack vector is network-based, requires low complexity, no privileges, and no user interaction, with high impact to confidentiality, integrity, and availability (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Why It Matters
Unauthenticated file upload leading to RCE is the worst class of WordPress theme bug: any internet-exposed site running the vulnerable theme can be fully compromised by a single HTTP request, with no credentials or social engineering required. A public exploit is already indexed on Exploit-DB (entry 51969), which lowers the bar for opportunistic mass-scanning and commodity webshell deployment. Successful exploitation typically results in site defacement, SEO spam injection, credential theft, or use of the host as a pivot for further attacks.
This CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog, so active in-the-wild exploitation has not been federally confirmed at the time of writing.
What's Vulnerable
- Product: WordPress Theme "Travelscape"
- Affected version: 1.0.3
- Weakness: CWE-434; Unrestricted Upload of File with Dangerous Type
- Pre-conditions: None; exploitable by an unauthenticated remote attacker over the network.
No affected CPE entries are enumerated in the NVD record beyond the version called out in the description.
Patch Status
The NVD record does not list a fixed version or vendor patch advisory. Administrators running Travelscape 1.0.3 should treat the theme as vulnerable, remove or disable it, and audit the theme directory for unexpected files until a vendor-supplied update is confirmed. Consult the VulnCheck advisory below for any updated remediation guidance.