Impact
The vulnerability allows an attacker to delete arbitrary files on the server without authentication, leading to loss of content, website downtime, and possible sabotage of critical configuration files. The weakness is a pathname traversal or insufficient validation (CWE‑22).
Affected Systems
WordPress sites using the Ovatheme BookPro plugin version 1.1.0 or earlier are vulnerable. All installations of the plugin before the 1.1.1 release must be updated.
Risk and Exploitability
With a CVSS score of 8.6, the vulnerability is considered high severity. No EPSS score is available, and the flaw is not listed in the CISA KEV catalog. The description explicitly states that the flaw is unauthenticated, meaning any user with network access to the site can exploit the delete function, usually by sending a crafted HTTP request to the plugin endpoint. Successful exploitation results in removal of specified files from the file system, potentially causing critical downtime or data loss.
OpenCVE Enrichment