Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in flexcubed PitchPrint pitchprint allows Path Traversal.This issue affects PitchPrint: from n/a through <= 11.1.2.
Published: 2026-03-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file deletion may compromise site integrity and availability
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a path traversal flaw that allows an attacker to delete arbitrary files from the server. An attacker who can trigger the vulnerable functionality can remove core website files, configuration files, or other critical assets, potentially leading to site downtime, data loss, or facilitating further compromise. The weakness is classified as CWE-22, improper limitation of a pathname to a restricted directory.

Affected Systems

The flaw exists in the flexcubed PitchPrint WordPress plugin versions up to and including 11.1.2. Any WordPress site that has this plugin installed within that version range is susceptible, regardless of the overall WordPress version.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity impact and a moderate complexity attack. The EPSS score of less than 1% suggests that current exploitation rates are low, and the vulnerability is not currently listed in the CISA KEV catalog. Nonetheless, the flaw can be leveraged remotely through the plugin's interface if an attacker can gain the necessary access, exposing the site to potential data loss and downtime.

Generated by OpenCVE AI on March 27, 2026 at 19:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest PitchPrint plugin version, any release above 11.1.2.
  • If an upgrade is not immediately possible, disable or delete the plugin from the WordPress installation.
  • Restrict file permissions on the plugin directory to prevent unauthorized write or delete operations.
  • Enable logging and monitor for unexpected file deletions or path traversal attempts.

Generated by OpenCVE AI on March 27, 2026 at 19:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Flexcubed
Flexcubed pitchprint
Wordpress
Wordpress wordpress
Vendors & Products Flexcubed
Flexcubed pitchprint
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in flexcubed PitchPrint pitchprint allows Path Traversal.This issue affects PitchPrint: from n/a through <= 11.1.2.
Title WordPress PitchPrint plugin <= 11.1.2 - Arbitrary File Deletion vulnerability
Weaknesses CWE-22
References

Subscriptions

Flexcubed Pitchprint
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:02.871Z

Reserved: 2026-01-07T13:43:49.724Z

Link: CVE-2026-22448

cve-icon Vulnrichment

Updated: 2026-03-27T17:57:38.775Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:30.507

Modified: 2026-04-23T15:36:31.417

Link: CVE-2026-22448

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:26:33Z

Weaknesses