The vulnerability is an improper limitation of a pathname to a restricted directory (CWE‑22) that allows an attacker to traverse paths and delete arbitrary files through the WordPress Litho theme. An attacker could script deletion of any file on the server that the web process can write to, leading to loss of site content, configuration files, or backups. The high CVSS score of 8.6 reflects the potential for data loss and site disruption, although no code execution is required.

This flaw affects the Litho theme from its earliest released version up through version 3.0. WordPress sites that have installed and activated this theme are vulnerable. The issue is tied to the themezaa Litho theme, and administrators should check whether their installations are running these affected releases.

The CVSS score of 8.6 shows a high severity, while the EPSS score of < 1% indicates a low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector appears to be remote via HTTP requests targeting the theme’s file handling endpoints, allowing an attacker to traverse to arbitrary files and delete them. If the attacker can write to the file system, they could remove critical site content, configuration files, or backups, leading to data loss, site disruption, or providing a foothold for further compromise. No code execution is required, but the ability to delete files can serve as a denial‑of‑service or a means to remove security controls.