The vulnerability is a path traversal flaw that permits deletion of arbitrary files on the server. By supplying a specially crafted path, an attacker can cause the plugin to delete files that are not restricted to the intended directory. This can result in loss of critical WordPress data, configuration files, or media assets, thereby compromising data integrity and potentially disrupting site availability. The weakness is classified as CWE‑22, improper limitation of a pathname to a restricted directory.

The issue affects the Tainacan WordPress plugin, versions up to and including 0.21.14. Users running the Tainacan plugin on any WordPress installation with a version identifier of 0.21.14 or earlier are impacted.

The CVSS score of 8.6 reflects a high severity, while the EPSS score of less than 1% indicates a low probability of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves interacting with the plugin’s file deletion endpoint, which may require authenticated access to the WordPress admin interface; therefore, attackers with administrative credentials pose a higher threat. Even without full admin rights, targeted exploitation might still be possible through exposed endpoints or query parameters, so the risk remains significant for sites with exposed administrative interfaces.