WordPress Theme Travelscape 1.0.3 Vulnerability (CVE-2024-58349)

Security Alert Summary

WordPress Theme Travelscape 1.0.3 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting insufficient validation in the theme’s upload functionality. Attackers can place files in the theme directory and execute them to achieve remote code execution on affected WordPress installations.

CVE Details

• CVE ID: CVE-2024-58349
• Affected component: WordPress Theme Travelscape 1.0.3
• Affected versions: Travelscape 1.0.3 (as stated in the advisory)
• Published: June 8, 2026 at 02:16:23 AM (UTC)
• Last modified: June 8, 2026 at 02:59:44 PM (UTC)
• CVSS v3.1: Base Score 9.8 – Severity: CRITICAL
• CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
• Authentication / Privileges / Interaction: Authentication required: None; Privileges required: NONE; User interaction: NONE
• Primary impact: Confidentiality: HIGH; Integrity: HIGH; Availability: HIGH
• Weakness (CWE): CWE-434

Technical Details

The vulnerability is an arbitrary file upload issue in the theme’s upload functionality caused by insufficient validation of uploaded files. According to the advisory, unauthenticated attackers can upload arbitrary files into the theme directory and execute them. Successful exploitation results in remote code execution on the affected WordPress installation.

No specific function names or REST endpoints are named in the advisory. The root cause is described as missing or inadequate validation of uploaded content within the theme, which permits placing executable files where the web server can run them.

The impact is direct: an attacker who can upload and execute files may run code on the server process that hosts WordPress. This can lead to data exposure, modification, or disruption consistent with the CVSS HIGH impact ratings for confidentiality, integrity, and availability.

How This Could Impact Your Website

Consider a site with a site owner, an internal editor, and an external contractor who contributes media and content. If the site uses the affected Travelscape 1.0.3 theme, an unauthenticated attacker could upload a malicious file to the theme directory and execute it, potentially exposing database contents, user information, or allowing the attacker to modify site content.

Practical consequences include exposure of internal user email addresses and other sensitive data, and an increased risk of targeted phishing or social engineering against staff or contributors. Such access can also be used to deface content or disrupt service availability consistent with the HIGH availability impact.

If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

• Update the affected theme as soon as a patched version is available.
• Review and reduce unnecessary user roles, especially contributor and author roles.
• Enforce strong passwords and two-factor authentication for editors and administrators.
• Remove unused or unmaintained themes and plugins from the site.
• Monitor site activity, file system changes, and web server logs for unusual behavior.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

• https://www.exploit-db.com/exploits/51969
• https://www.vulncheck.com/advisories/wordpress-theme-travelscape-arbitrary-file-upload