CVE-2025-49071: 
WordPress vulnerability analysis and mitigation

CVE-2025-49071 is a critical vulnerability affecting the Flozen WordPress theme versions prior to 1.5.1. The vulnerability was discovered on June 11, 2025, and publicly disclosed on June 17, 2025. It is classified as an Unrestricted Upload of File with Dangerous Type vulnerability that allows unauthenticated attackers to upload a web shell to a web server (Wiz).

The vulnerability has been assigned a CVSS v3.1 base score of 10.0 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. It is categorized under CWE-434 (Unrestricted Upload of File with Dangerous Type). The vulnerability allows arbitrary file upload functionality that could be exploited without requiring authentication (Wiz, Patchstack).

The vulnerability is considered highly dangerous and expected to become mass exploited. It allows malicious actors to upload any type of file to the website, including backdoors which can be executed to gain further access to the website. The critical CVSS score of 10.0 indicates the maximum possible impact on confidentiality, integrity, and availability of the affected system (Patchstack).

Users are advised to immediately update to Flozen theme version 1.5.1 or later which contains the fix for this vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until users can update to a fixed version (Wiz, Patchstack).