The vulnerability identified as CVE-2026-24960 affects the zozothemes Charety plugin, a WordPress plugin designed for charity and fundraising websites. The issue is an unrestricted file upload vulnerability, meaning the plugin does not properly restrict or validate the types of files that can be uploaded by users. This allows an attacker to upload files with dangerous types, such as executable scripts or web shells, which can then be executed on the server. The vulnerability exists in all versions prior to 2.0.2, with no specific version range provided beyond that. The lack of proper file type validation or sanitization is a common security flaw that can lead to remote code execution, privilege escalation, or full site compromise. Although no known exploits have been reported in the wild, the vulnerability is publicly disclosed and could be targeted by attackers. The plugin’s upload functionality, if accessible without authentication or with minimal restrictions, increases the risk of exploitation. The absence of a CVSS score requires an assessment based on the nature of the vulnerability, which is severe due to the potential for attackers to execute arbitrary code and control affected systems. The vulnerability was reserved in January 2026 and published in March 2026, indicating recent discovery and disclosure. No official patches or mitigation links are currently provided, emphasizing the need for users to monitor vendor updates closely.

The unrestricted upload of dangerous file types can have severe consequences for organizations using the Charety plugin. Successful exploitation could allow attackers to upload malicious scripts or web shells, leading to remote code execution on the web server. This can result in full website compromise, data theft, defacement, or use of the server as a pivot point for further attacks within the network. Confidentiality is at risk due to potential data exposure, integrity can be compromised through unauthorized modifications, and availability may be affected by denial-of-service conditions or destructive payloads. Organizations relying on the affected plugin for fundraising or charity activities may face reputational damage and loss of donor trust. The ease of exploitation, especially if upload functionality is publicly accessible, increases the threat level. Although no exploits are currently known in the wild, the public disclosure may prompt attackers to develop and deploy exploit code. The impact extends to any organization or individual operating WordPress sites with this plugin installed, particularly those who have not updated to a secure version.

1. Immediately update the Charety plugin to version 2.0.2 or later once the vendor releases a patch addressing this vulnerability. 2. Until a patch is available, disable or restrict file upload functionality within the plugin or WordPress to trusted users only. 3. Implement strict server-side validation of uploaded files, including checking MIME types, file extensions, and scanning for malicious content. 4. Use web application firewalls (WAFs) to detect and block suspicious file upload attempts. 5. Monitor web server logs and upload directories for unusual or unauthorized files. 6. Restrict execution permissions on upload directories to prevent execution of uploaded scripts. 7. Employ principle of least privilege for web server processes to limit damage in case of compromise. 8. Educate site administrators on the risks of unrestricted file uploads and encourage timely patching. 9. Regularly back up website data and configurations to enable recovery in case of an incident. 10. Consider deploying intrusion detection/prevention systems (IDS/IPS) to identify exploitation attempts.