Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in designingmedia Energox energox allows Path Traversal.This issue affects Energox: from n/a through <= 1.2.
Published: 2026-03-25
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Deletion via Path Traversal
Action: Update Theme
AI Analysis

Impact

The vulnerability allows an attacker to craft requests that bypass the Energox theme’s file handling logic and delete any file located within the web root. This leads to loss of critical site data or configuration files, directly compromising the integrity and availability of the WordPress installation.

Affected Systems

Any WordPress site using the designingmedia Energox theme version 1.2 or earlier is affected. The theme itself is the only component that handles file deletion and relative paths, so other plugins or themes are not implicated.

Risk and Exploitability

The issue carries a high severity rating and a low observed exploitation probability; exploitation would require the attacker to trigger the theme’s file deletion functionality, likely through a crafted URL or form submission. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities list, which suggests it is not a widely deployed, actively exploited flaw. Because it results in arbitrary deletion of server files, successful exploitation would allow denial of service or further compromise of the site.

Generated by OpenCVE AI on March 27, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Energox to a version greater than 1.2 or remove the theme entirely
  • If an immediate upgrade is not possible, disable any file deletion features exposed by the theme or restrict them to a secure context
  • Configure strict file permissions on the WordPress content directory to prevent unauthorized deletion
  • Monitor server and WordPress logs for indications of file manipulation attempts

Generated by OpenCVE AI on March 27, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Designingmedia
Designingmedia energox
Wordpress
Wordpress wordpress
Vendors & Products Designingmedia
Designingmedia energox
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in designingmedia Energox energox allows Path Traversal.This issue affects Energox: from n/a through <= 1.2.
Title WordPress Energox theme <= 1.2 - Arbitrary File Deletion vulnerability
Weaknesses CWE-22
References

Subscriptions

Designingmedia Energox
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-24T15:35:42.667Z

Reserved: 2026-01-28T09:50:41.578Z

Link: CVE-2026-24970

cve-icon Vulnrichment

Updated: 2026-03-27T15:12:40.784Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:38.947

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-24970

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:26:28Z

Weaknesses