{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32482", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:11:55.347Z", "datePublished": "2026-03-25T16:14:57.573Z", "dateUpdated": "2026-03-25T16:14:57.573Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "ona", "product": "Ona", "vendor": "deothemes", "versions": [{"changes": [{"at": "1.24", "status": "unaffected"}], "lessThanOrEqual": "< 1.24", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:36.503Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in deothemes Ona ona allows Upload a Web Shell to a Web Server.<p>This issue affects Ona: from n/a through < 1.24.</p>"}], "value": "Unrestricted Upload of File with Dangerous Type vulnerability in deothemes Ona ona allows Upload a Web Shell to a Web Server.This issue affects Ona: from n/a through < 1.24."}], "impacts": [{"capecId": "CAPEC-650", "descriptions": [{"lang": "en", "value": "Upload a Web Shell to a Web Server"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:57.573Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/ona/vulnerability/wordpress-ona-theme-1-24-arbitrary-file-upload-vulnerability?_s_id=cve"}], "title": "WordPress Ona theme < 1.24 - Arbitrary File Upload vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in deothemes Ona ona allows Upload a Web Shell to a Web Server.This issue affects Ona: from n/a through < 1.24."}], "id": "CVE-2026-32482", "lastModified": "2026-03-25T17:16:59.183", "metrics": {}, "published": "2026-03-25T17:16:59.183", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/ona/vulnerability/wordpress-ona-theme-1-24-arbitrary-file-upload-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:38:08.787229+00:00", "value": {"mitigation_remediation": ["Update the Ona theme to version 1.24 or newer", "If upgrading immediately is not possible, disable or restrict the upload feature to allow only harmless file types", "Configure the web server to deny execution permissions for the upload directory", "Regularly scan the upload directory for unexpected files and monitor for suspicious activity"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The issue affects the WordPress Ona theme distributed by deothemes, for all versions from the earliest release up to, but not including, 1.24. In practice, any WordPress installation using the Ona theme prior to version 1.24 is vulnerable.", "description_and_impact": "The vulnerability is an unrestricted upload of files with dangerous types, allowing an attacker to upload a web shell to the server. This results in remote code execution, permitting full compromise of the affected site and potentially the underlying server, compromising confidentiality, integrity, and availability. The weakness corresponds to CWE-434, Unsanitized Input Leading to Dangerous File Upload.", "risk_and_exploitability": "Because the vulnerability allows execution of arbitrary code, the overall risk is high. No EPSS score or KEV listing is available, but the lack of input validation commonly leads to exploitation. The attack path is inferred to involve the theme\u2019s file upload feature; an attacker would submit a PHP or other executable file through that interface, thereby gaining a web shell. The severity remains significant until a patch is applied."}}}}, "created": "2026-03-25T21:43:44.203755+00:00", "updated": "2026-03-25T21:43:44.203787+00:00", "vendors": []}