Description
Unauthenticated Arbitrary File Deletion in BookPro <= 1.1.0 versions.
Published: 2026-06-17
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to delete arbitrary files on the server without authentication, leading to loss of content, website downtime, and possible sabotage of critical configuration files. The weakness is a pathname traversal or insufficient validation (CWE‑22).

Affected Systems

WordPress sites using the Ovatheme BookPro plugin version 1.1.0 or earlier are vulnerable. All installations of the plugin before the 1.1.1 release must be updated.

Risk and Exploitability

With a CVSS score of 8.6, the vulnerability is considered high severity. No EPSS score is available, and the flaw is not listed in the CISA KEV catalog. The description explicitly states that the flaw is unauthenticated, meaning any user with network access to the site can exploit the delete function, usually by sending a crafted HTTP request to the plugin endpoint. Successful exploitation results in removal of specified files from the file system, potentially causing critical downtime or data loss.

Generated by OpenCVE AI on June 18, 2026 at 12:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ovatheme BookPro to version 1.1.1 or newer, where the file deletion logic has been fixed.
  • If an immediate upgrade is not possible, disable the BookPro plugin or remove the plugin directory entirely to prevent the exposure.
  • Enforce restrictive file system permissions so that the web server user cannot delete critical directories, and monitor for unexpected file deletions.

Generated by OpenCVE AI on June 18, 2026 at 12:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Ovatheme
Ovatheme bookpro
Wordpress
Wordpress wordpress
Vendors & Products Ovatheme
Ovatheme bookpro
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Arbitrary File Deletion in BookPro <= 1.1.0 versions.
Title WordPress BookPro plugin <= 1.1.0 - Arbitrary File Deletion vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}


Subscriptions

Ovatheme Bookpro
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:28:51.788Z

Reserved: 2026-02-19T09:52:08.214Z

Link: CVE-2026-27400

cve-icon Vulnrichment

Updated: 2026-06-17T14:28:47.405Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:04:29Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')