External risk intelligence

Restaurt Subscriber Arbitrary File Upload Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-22327

A critical vulnerability in the Restaurt theme allows authenticated users to upload arbitrary files, potentially leading to system compromise. If the theme is in use and reachable, attackers could execute malicious code or alter application behavior, posing a risk to integrity and confidentiality. Confirming usage and

Unrestricted File Upload

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

The vulnerability affects a WordPress theme, which is a component of a web application. Web applications, particularly those running on public-facing CMS platforms, are commonly deployed as internet-facing services, making this surface typically reachable from the internet.

Horizon Alert

Summary of the vulnerability and why it matters

A critical security issue has been identified in the Restaurt theme, impacting versions up to 1.0.4. This vulnerability allows unauthorized users with limited access to upload arbitrary files, potentially leading to a compromise of the affected systems. The broad impact and high severity warrant attention to confirm relevance and exposure.

  • Allows unauthorized file uploads.
  • Business risk from potential system compromise.
  • Confirm if this theme is used.

Attack Path

How an attacker could exploit the issue

An attacker with low privileges could exploit this vulnerability by uploading an arbitrary file. This could allow them to execute code on the server, leading to complete system compromise.

  • Requires authenticated access.
  • Triggered by uploading a specially crafted file.
  • Allows arbitrary code execution.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, an authenticated attacker with low privileges could upload arbitrary files to a web application, potentially leading to a compromise of the application's integrity and confidentiality. This could allow for the execution of malicious code or the modification of application behavior.

  • Arbitrary file upload.
  • Malicious file upload over network.
  • Application compromise and data exposure.

Operational Fix

Recommended remediation, mitigation, and detection steps

The critical arbitrary file upload vulnerability in Restaurt themes necessitates immediate attention from platform or application owners responsible for managing WordPress deployments. The first practical step is to inventory all instances of the affected theme, confirm their exposure to external networks, and identify the specific business-criticality and accountable stakeholders for each. This information will inform a risk-based remediation plan, potentially involving vendor coordination or temporary mitigation if direct patching is not immediately feasible.

  • Application owners must own this issue.
  • Verify all affected theme installations.
  • Plan remediation based on exposure.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-22327 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This CVE involves an arbitrary file upload vulnerability, which is a type of flaw that typically causes a PCI ASV scan to fail. Remediation is likely required for a passing attestation.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the Restaurt software?

Restaurt is a WordPress theme designed to help users build and style restaurant-focused websites. Like other themes, it functions as a component that controls the layout, visual design, and specific interactive elements of a site managed through the WordPress content management system.

What does CVE-2026-22327 mean?

This vulnerability is classified as CWE-434, Unrestricted Upload of File with Dangerous Type. In simple terms, it means the software fails to properly validate the files users try to upload, allowing an attacker to submit malicious scripts or files that the server might mistakenly store or run.

How is this vulnerability triggered?

An attacker must have an authenticated account with low-level privileges, such as a subscriber, to initiate the upload. The flaw is not triggered by public visitors who lack an account; the malicious action requires the ability to interact with the theme's upload functionality using a specially crafted file.

Is my site at risk?

If you use the Restaurt theme, Halo Surface Signal notes that because WordPress sites are often internet-facing, this vulnerability is typically reachable by attackers over the network. You should prioritize assessing any WordPress installation where this theme is active and reachable by external users.

What steps should I take now?

Begin by auditing your environment to confirm where Restaurt 1.0.4 or earlier is currently deployed. Once identified, document which instances are accessible via the internet to prioritize your response. Consult with your technical team to evaluate available vendor updates or consider temporarily disabling the theme if a patch is not yet applied.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished