The WP Pipes plugin contains an improper limitation of a pathname that allows path traversal, enabling the deletion of any file on the web server. This flaw directly jeopardizes the integrity and availability of site content, configuration files, and critical media. The weakness is classified as CWE‑22, reflecting a classic path traversal vulnerability that can tamper with the file system.

All WordPress sites that include the ThimPress WP Pipes plugin version 1.4.3 or earlier are vulnerable. The plugin itself is affected, regardless of other installed WordPress components. The vulnerability is identified in the Common Platform Enumeration for a WordPress plugin, not a specific operating system or application bundle.

With a CVSS score of 8.6 the vulnerability is high severity, yet the EPSS score of less than 1 % indicates a low likelihood of exploitation at present. It is not listed in the CISA KEV catalog. The attack is likely to occur through web requests to the plugin’s file handling interface; authentication is not explicitly required by the description, so the attack may be carried out by unauthenticated users or those with limited privileges. Successful exploitation would result in the removal of arbitrary files, potentially crippling the application or destroying essential data.