The BM Content Builder plugin contains an improper limitation of a pathname to a restricted directory. An attacker who can supply a crafted file path can delete arbitrary files on the server that the WordPress process can write to. This can cause data loss, compromise site integrity, and disrupt availability. The vulnerability is a classic Path Traversal flaw (CWE‑22). Based on the description, it is inferred that the exploit likely requires access to the plugin's file deletion feature, which may be available to authenticated users with sufficient privileges; the input does not clarify if an unauthenticated user can trigger it.

SeaTheme BM Content Builder plugin versions earlier than 3.16.3.3 on WordPress sites.

The CVSS score of 7.7 indicates a high severity with an estimated exploit complexity of low to medium. The EPSS score less than 1% suggests a very low probability of exploitation in the wild at this time. The vulnerability is not currently listed in the CISA KEV catalog. Exploitation would likely require an attacker to send a deletion request with a crafted path, potentially revealing sensitive files or undermining site stability. It is inferred that the attack vector is web‑based, originating from a user interacting with the plugin interface or issuing crafted HTTP requests. Adequate authentication checks or the absence thereof can raise the risk, while limited privileges or mitigated controls can reduce it.