This vulnerability is a CSRF flaw in the Child Themes Helper WordPress plugin that allows attackers to create path traversal sequences in URLs. When a logged‑in user visits a crafted request, the plugin processes the traversal without adequate validation and can delete arbitrary files stored on the server. The result is a loss of file integrity and availability for the affected site. No code execution is achieved; the attacker merely gains the same file‑deletion authority that the authenticated user possesses. The weakness is classified as CWE‑352 (Cross‑Site Request Forgery). Because the flaw simply leverages a user’s own authentication credentials, the impact is limited to users with file‑deletion rights, but any such user could accidentally or maliciously erase critical theme files.

WordPress sites that have the Child Themes Helper plugin version 2.2.7 or earlier, developed by Paul Swarthout. All affected installations share the same plugin name; no other vendors or product families are listed.

The CVSS score of 6.1 places the issue in the medium severity range. EPSS is below 1%, indicating that, at the time of analysis, exploitation attempts are expected to be rare and opportunistic. The vulnerability is not currently listed in the CISA KEV catalog. Standard CSRF exploitation requires an authenticated user to load a malicious URL, so the attack vector is likely a forged request from a third‑party site that the victim has visited while logged into WordPress. Attackers cannot exploit the flaw without the victim’s session; however, once a user is compromised, the attacker can delete any file the user is permitted to delete. The practical risk is moderate: the vulnerability can lead to site breakage, but it does not grant remote code execution. Regular monitoring for use of the deleted file paths and user activity logs can help detect potential abuse.