{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22448", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:43:49.724Z", "datePublished": "2026-03-25T16:14:22.252Z", "dateUpdated": "2026-03-25T16:14:22.252Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "pitchprint", "product": "PitchPrint", "vendor": "flexcubed", "versions": [{"changes": [{"at": "11.2.0", "status": "unaffected"}], "lessThanOrEqual": "<= 11.1.2", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "NumeX | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:04.306Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in flexcubed PitchPrint pitchprint allows Path Traversal.<p>This issue affects PitchPrint: from n/a through <= 11.1.2.</p>"}], "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in flexcubed PitchPrint pitchprint allows Path Traversal.This issue affects PitchPrint: from n/a through <= 11.1.2."}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "Path Traversal"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:22.252Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/pitchprint/vulnerability/wordpress-pitchprint-plugin-11-1-2-arbitrary-file-deletion-vulnerability?_s_id=cve"}], "title": "WordPress PitchPrint plugin <= 11.1.2 - Arbitrary File Deletion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in flexcubed PitchPrint pitchprint allows Path Traversal.This issue affects PitchPrint: from n/a through <= 11.1.2."}], "id": "CVE-2026-22448", "lastModified": "2026-03-25T17:16:30.507", "metrics": {}, "published": "2026-03-25T17:16:30.507", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/pitchprint/vulnerability/wordpress-pitchprint-plugin-11-1-2-arbitrary-file-deletion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T17:28:18.077203+00:00", "value": {"mitigation_remediation": ["Upgrade the PitchPrint plugin to a version newer than 11.1.2. ", "If an upgrade is not possible, disable or remove the plugin entirely. ", "Restrict filesystem permissions to prevent the web server from deleting critical files. ", "Monitor server logs for suspicious file deletion attempts."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary File Deletion"}, "threat_synthesis": {"affected_systems": "The flaw affects the WordPress PitchPrint plugin from flexcubed. All releases up to and including version 11.1.2 are vulnerable; no other versions are listed.", "description_and_impact": "The vulnerability is an improper limitation of a pathname that allows path traversal. An attacker can supply a crafted file path that bypasses directory restrictions and delete arbitrary files on the web server. This results in loss of data integrity and can disrupt website functionality if critical files are removed. The weakness is classified as CWE-22, a severe integrity violation.", "risk_and_exploitability": "The likely attack vector is any user able to trigger the plugin\u2019s delete function, probably an authenticated administrator or any user who can invoke the endpoint. Because the issue permits deletion of arbitrary files, it could bring a site down or compromise sensitive configuration data. Although EPSS data is not available and the vulnerability is not in the KEV catalog, the combination of a path traversal flaw and file deletion capability suggests a high-severity risk that should be addressed promptly."}}}}, "created": "2026-03-25T21:35:30.716009+00:00", "updated": "2026-03-25T21:35:30.716036+00:00", "vendors": []}