Description
Unauthenticated Arbitrary File Deletion in Car Zone <= 3.7 versions.
Published: 2026-06-16
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an unauthenticated user to delete arbitrary files from the server when using Car Zone theme version 3.7 or earlier. This flaw arises from insufficient path validation, enabling the attacker to remove any file the web server process can access, which can corrupt site data, break functionality, and deny legitimate users service. The weakness is identified as CWE‑22, a path traversal/relative path vulnerability. Evidence shows no remote code execution, but the impact on confidentiality, integrity, and availability is significant because attackers can erase critical files such as configuration, media, or theme files.

Affected Systems

The issue affects installations of the AivahThemes Car Zone WordPress theme up to and including version 3.7. Users running any WordPress site with this theme on an unauthenticated surface are at risk until an upgrade or removal of the vulnerable theme occurs.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity. The EPSS score of less than 1% suggests a very low but non‑zero probability of exploitation in the wild. The vulnerability is not listed in CISA KEV, implying it is not a known exploited vulnerability at the time of this analysis. The attack vector is not explicitly specified in the CVE documentation; it is inferred that unauthenticated access to the theme’s web interface could enable the deletion operation. The vulnerability can be exploited without authentication if the theme is publicly exposed, making the risk high for any public WordPress site that has not patched or removed the theme.

Generated by OpenCVE AI on June 17, 2026 at 18:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Car Zone theme to the latest version that removes the deletion flaw.
  • If an upgrade is not immediately possible, replace the theme with a secure alternative or switch to the default WordPress theme to eliminate the attack surface.
  • Monitor file integrity and server logs for unexpected deletions.
  • Implement file system permissions and read‑only mounts for web directories to limit the impact of future path traversal attempts.

Generated by OpenCVE AI on June 17, 2026 at 18:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
First Time appeared Aivahthemes
Aivahthemes car Zone
Wordpress
Wordpress wordpress
Vendors & Products Aivahthemes
Aivahthemes car Zone
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Arbitrary File Deletion in Car Zone <= 3.7 versions.
Title WordPress Car Zone theme <= 3.7 - Arbitrary File Deletion vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}

Subscriptions

Aivahthemes Car Zone
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:49:09.391Z

Reserved: 2025-12-29T11:19:41.704Z

Link: CVE-2025-69139

cve-icon Vulnrichment

Updated: 2026-06-17T10:49:01.695Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T02:30:14Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')