An attacker can exploit a path traversal flaw in the designingmedia Instant VA theme to delete arbitrary files from the server. The vulnerability allows the theme to resolve file paths outside its intended directory, resulting in the removal of critical website files such as configuration or content files, potentially leading to site downtime or loss of data. The weakness is a classic Path Traversal (CWE‑22) that primarily affects the availability of the affected WordPress site and does not directly grant code execution. The impact is limited to file deletion but can have significant operational consequences. Based on the description, an attacker could craft a request that manipulates the file path to target undesired files.

The vulnerability affects the designingmedia Instant VA WordPress theme, from the earliest known release through version 1.0.1. All installations running 1.0.1 or any earlier build are potentially vulnerable. The issue does not apply to later versions released after 1.0.1, assuming the patch has been applied.

The CVSS score of 7.7 classifies the flaw as high severity. The EPSS score of less than 1 % suggests a low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be an HTTP request that provides a crafted file path parameter, so the exploit is web‑based. Though the probability of attack is low, the destructive nature of arbitrary file deletion warrants a prompt response.