CVE-2025-30996: Critical WordPress Theme Flaw Enables Instant Web-Shell Takeover

Aegiron 6 mins0

Severity: Critical
CVSS: ~9.8
Impact: Full site takeover
Exploitability: High (authenticated attacker)
Attack Outcome: Remote code execution via web shell

What’s actually wrong here

This vulnerability exists because some Themify themes trust uploaded files far more than they should.
When a user uploads a file through certain theme features, the server fails to properly verify:

  • What the file really is
  • Whether it contains executable code
  • Whether it should ever be placed in a web-accessible location

Because of that trust failure, a logged-in user can upload a file that looks harmless on the surface but is actually executable PHP. Once that file lands on disk, the web server happily runs it.

At that point, the attacker isn’t “using WordPress” anymore — they’re running commands directly on the server.

Why authentication does NOT make this low risk

This flaw requires a Contributor account or higher. That sounds reassuring until you consider reality:

  • Contributor accounts are common
  • They’re often shared, abandoned, or poorly protected
  • Credential stuffing and phishing routinely compromise them
  • Many sites allow public user registration

Once a Contributor account is compromised, this vulnerability becomes a straight path to full control.

How an attack typically unfolds

  1. An attacker logs in using a compromised Contributor account
  2. They upload a crafted file through a vulnerable theme feature
  3. The file is stored in a directory that the web server can access
  4. PHP execution is allowed in that location
  5. The attacker loads the file in a browser
  6. Commands execute as the web server user

From there, the attacker can:

  • Create admin users
  • Modify theme and plugin files
  • Dump the WordPress database
  • Add persistent backdoors
  • Infect other sites on the same server

This is why arbitrary file upload bugs are treated as critical by default.

MITRE ATT&CK perspective

This vulnerability maps cleanly to known attacker behavior:

  • Initial Access: Valid Accounts (T1078)
  • Initial Access: Exploit Public-Facing Application (T1190)
  • Execution: Command and Scripting Interpreter – PHP (T1059)
  • Persistence: Web Shell (T1505.003)
  • Defense Evasion: Obfuscated or disguised files (T1027)

Nothing exotic — which is exactly why it’s dangerous.

What defenders should be watching for

File system warning signs

  • New PHP files appearing where they don’t belong
  • Files with double extensions
  • PHP files owned by the web server user
  • Recently created files in theme or upload directories

Log-level indicators

  • POST requests with multipart form uploads
  • Upload actions followed quickly by direct file access
  • Contributor accounts performing unusual uploads
  • Requests hitting unknown PHP files with no referrer

Behavioral red flags

  • Contributors acting like administrators
  • Upload activity outside business hours
  • Sudden spikes in file creation

Practical detection rules

You should alert when:

  1. A file upload request
    • Uses multipart/form-data
    • Writes a file into a theme or uploads directory
    • And the filename looks executable
  2. A newly created PHP file
    • Is accessed within minutes of being uploaded
    • Especially by the same IP
  3. PHP executes from uploads
    • Any PHP process whose script path includes wp-content/uploads
  4. Theme files change unexpectedly
    • Outside patch windows
    • Without an admin action

These rules catch real attacks without relying on fragile signatures.

How to actually fix the problem

Immediate

  • Update all affected Themify themes using the official updater
  • Remove themes you don’t actively use
  • Audit Contributor and Author accounts
  • Reset passwords where needed

Server-side hardening

  • Disable PHP execution in upload directories
  • Enforce strict file extension allowlists
  • Lock down file permissions

Long-term

  • Use file integrity monitoring
  • Log WordPress user activity
  • Add a WAF with upload inspection
  • Require MFA for administrators

Official patch source

Themify provides official update guidance here:
https://themify.me/docs/upgrading

Always patch before restoring a compromised site.

Final takeaway

CVE-2025-30996 isn’t clever or complex — and that’s exactly why it’s dangerous.
It turns a low-privileged account into total server control with very little effort.

If this theme is installed and unpatched, you should assume active risk, not hypothetical exposure.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.