Wordfence is Claiming It Is a Critical Vulnerability for WordPress Administrators to Upload Arbitrary Files
Recently someone left a message on the support forum of the WordPress plugin WP Child Theme Generator writing about their concern about continuing to use the plugin based on Wordfence claiming it contains a “critical vulnerability:”
This critical vulnerability has me worried. It keeps coming up in my Wordfence scans. I’m thinking about deactivating and deleting this plugin for now (at least until it’s patched).
Here is the claimed vulnerability as mentioned by a previous poster:
The WP Child Theme Generator plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.0.8. This makes it possible for administrators to upload arbitrary files on the affected site’s server which may make remote code execution possible.
WordPress Administrators are allowed to do that. They are Administrators. They couldn’t, for example, upload plugins if they couldn’t do that.
Despite being something they are already allowed to do, Wordfence is claiming this has a CVSS3 severity score of 9.1 out of 10);
Again, WordPress already allows Administrators to do what is claimed to be a vulnerability there.
Wordfence is sourcing this to Patchstack, which is also giving this the same severity score:
(There does appear to be some improperly secured code that wasn’t fully addressed in an update released after the vulnerability claim was made.)
Plugin Security Scorecard Grade for Patchstack
Checked on March 5, 2025See issues causing the plugin to get less than A+ grade