Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AA-Team WZone woozone allows Path Traversal.This issue affects WZone: from n/a through <= 14.0.31.
Published: 2026-03-25
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Deletion
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a Path Traversal flaw that allows an attacker to delete any file on the server’s file system via the WZone WordPress plugin. Because the plugin does not properly limit the file pathname to a controlled directory, an attacker can craft requests to point to critical system files, leading to data loss, loss of site functionality, or even facilitating further compromise if the deleted files are essential for running the site.

Affected Systems

The issue affects vendors AA‑Team’s WZone plugin for WordPress. All installations using version 14.0.31 or earlier are impacted, regardless of the specific release date listed as ‘n/a through <= 14.0.31’.

Risk and Exploitability

The problem carries a CVSS score of 8.8, indicating high severity. Its EPSS score is less than 1%, suggesting a low probability of exploitation in the wild, and it is not currently listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote, via the WordPress plugin interface, allowing an attacker to trigger the deletion of arbitrary files if they can send requests to the vulnerable endpoint.

Generated by OpenCVE AI on March 26, 2026 at 17:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WZone plugin to a version newer than 14.0.31.
  • If updating is not possible, disable or uninstall the plugin to block the attack surface.
  • Review site file permissions to ensure the web server does not have write access to critical directories.
  • Monitor application logs for any unexpected file deletion activity.

Generated by OpenCVE AI on March 26, 2026 at 17:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Aa-team
Aa-team wzone
Wordpress
Wordpress wordpress
Vendors & Products Aa-team
Aa-team wzone
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AA-Team WZone woozone allows Path Traversal.This issue affects WZone: from n/a through <= 14.0.31.
Title WordPress WZone plugin <= 14.0.31 - Arbitrary File Deletion vulnerability
Weaknesses CWE-22
References

Subscriptions

Aa-team Wzone
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T15:18:01.911Z

Reserved: 2026-02-17T13:23:18.875Z

Link: CVE-2026-27040

cve-icon Vulnrichment

Updated: 2026-03-26T15:17:23.304Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:53.450

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-27040

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:31:34Z

Weaknesses