CVE-2025-15470 - Vulnerability Details

- Eleganzo <= 1.2 - Authenticated (Subscriber+) Arbitrary Directory Deletion

Description

The Eleganzo theme for WordPress is vulnerable to arbitrary directory deletion due to insufficient path validation in the akd_required_plugin_callback function in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary directories on the server, including the WordPress root directory.

Published: 2026-04-14

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the akd_required_plugin_callback function of the Eleganzo theme and stems from insufficient path validation. An authenticated user with at least Subscriber level can provide a directory path that bypasses checks and triggers deletion of arbitrary directories on the server, including the WordPress root. This flaw is a path traversal issue (CWE‑22) that can lead to loss of data, site downtime, and potentially full server compromise if the attacker deletes critical files.

Affected Systems

WordPress installations that use the Eleganzo theme by DesigningMedia, specifically all releases up to and including version 1.2. No other versions or vendors are affected per the current vendor list.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity assessment. Exploit probability metrics are not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector requires authentication; an attacker with Subscriber or higher access can trigger the deletion via the theme’s administrative interface. Once invoked, the deletion is unconditional, granting the attacker the ability to remove any directory accessible to the web server process, which can result in site defacement, data loss, or further privilege escalation if additional vulnerabilities exist.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

DesigningMedia

Eleganzo

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.2

No data.

Vendor Product Confidence Versions

Designingmedia

Eleganzo

100%

Version	Status	Scheme	Platform
`[0,1.2]`	affected	generic	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Eleganzo theme to any release newer than 1.2 that addresses the path validation flaw.
If an immediate upgrade is not feasible, disable or restrict access to the akd_required_plugin_callback function so that only trusted administrators can trigger it.
Enforce strict file system permissions and implement whitelisting of allowed directories to prevent the web server from deleting arbitrary folders.

Generated by OpenCVE AI on April 15, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00034.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://testwp.local/wp-content/themes/eleganzo/welcome.php#L96
https://www.wordfence.com/threat-intel/vulnerabilities/id/7c5d7818-e548-4d8f-b847-396d528b58cd?source=cve

History

Wed, 15 Apr 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 15 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Designingmedia Designingmedia eleganzo Wordpress Wordpress wordpress
Vendors & Products		Designingmedia Designingmedia eleganzo Wordpress Wordpress wordpress

Tue, 14 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description		The Eleganzo theme for WordPress is vulnerable to arbitrary directory deletion due to insufficient path validation in the akd_required_plugin_callback function in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary directories on the server, including the WordPress root directory.
Title		Eleganzo <= 1.2 - Authenticated (Subscriber+) Arbitrary Directory Deletion
Weaknesses		CWE-22
References		https://testwp.local/wp-content/themes/eleganzo/welcome.php#L96 https://www.wordfence.com/threat-intel/vulnerabilities/id/7c5d7818-e548-4d8f-b847-396d528b58cd?source=cve
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}`

Subscriptions

Designingmedia Eleganzo

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-04-14T23:26:06.733Z

Updated: 2026-04-15T17:26:49.516Z

Reserved: 2026-01-06T11:36:51.018Z

Link: CVE-2025-15470

Vulnrichment

Updated: 2026-04-15T17:26:38.557Z

NVD

Status : Received

Published: 2026-04-15T04:17:20.670

Modified: 2026-04-15T04:17:20.670

Link: CVE-2025-15470

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T14:53:38Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object