{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27040", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:23:18.875Z", "datePublished": "2026-03-25T16:14:52.312Z", "dateUpdated": "2026-03-25T16:14:52.312Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://codecanyon.net", "defaultStatus": "unaffected", "packageName": "woozone", "product": "WZone", "vendor": "AA-Team", "versions": [{"lessThanOrEqual": "<= 14.0.31", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:31.470Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AA-Team WZone woozone allows Path Traversal.<p>This issue affects WZone: from n/a through <= 14.0.31.</p>"}], "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AA-Team WZone woozone allows Path Traversal.This issue affects WZone: from n/a through <= 14.0.31."}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "Path Traversal"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:52.312Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/woozone/vulnerability/wordpress-wzone-plugin-14-0-31-arbitrary-file-deletion-vulnerability?_s_id=cve"}], "title": "WordPress WZone plugin <= 14.0.31 - Arbitrary File Deletion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AA-Team WZone woozone allows Path Traversal.This issue affects WZone: from n/a through <= 14.0.31."}], "id": "CVE-2026-27040", "lastModified": "2026-03-25T17:16:53.450", "metrics": {}, "published": "2026-03-25T17:16:53.450", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/woozone/vulnerability/wordpress-wzone-plugin-14-0-31-arbitrary-file-deletion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:47:41.709446+00:00", "value": {"mitigation_remediation": ["Install the latest WZone plugin version (14.0.32 or later) to remove the path traversal flaw.", "Verify that the plugin files match the official release to detect tampering.", "Restrict file system permissions for the WordPress installation so that the web server process has the minimum privileges required.", "Enable logging for file deletions and monitor logs for unexplained changes."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary File Deletion"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the AA\u2011Team WZone plugin installed in any version up to and including 14.0.31 are affected. The vulnerability exists in all releases from the earliest available version through the specified cutoff.", "description_and_impact": "An improper limitation of file path names in the WZone plugin allows attackers to traverse directories and delete arbitrary files. This path\u2011traversal weakness can lead to removal of critical WordPress configuration, theme, or plugin files, resulting in service disruption or facilitating further compromise.", "risk_and_exploitability": "The vulnerability is highly severe as it permits deletion of any file within the WordPress filesystem that the web server can access. While no CVSS or EPSS score is listed, the potential impact is significant. Nothing in the keystone indicates an exploited or catalogued vector by CISA, yet the absence of a patch increases the likelihood that attackers could exploit this vector through crafted URLs or malicious uploads."}}}}, "created": "2026-03-25T21:44:13.464486+00:00", "updated": "2026-03-25T21:44:13.464520+00:00", "vendors": []}