Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Whitebox-Studio Scape scape allows Path Traversal.This issue affects Scape: from n/a through < 1.5.16.
Published: 2026-03-25
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Deletion
Action: Immediate Patch
AI Analysis

Impact

Improper Limitation of a Pathname to a Restricted Directory allows a path traversal condition that can lead to arbitrary deletion of files within the WordPress installation. The vulnerability permits a malicious actor to specify a file path that escapes the intended directory boundary, causing the Scape theme code to delete the target file. This can compromise site integrity, remove critical content or configuration files, and result in a denial of service. The weakness is catalogued as CWE-22.

Affected Systems

Whitebox-Studio Scape theme distributed as part of WordPress sites. All installations of the Scape theme with versions prior to 1.5.16 are affected. No additional vendor or product scope is identified beyond the theme itself.

Risk and Exploitability

The CVSS base score of 8.6 indicates a high severity vulnerability. EPSS indicates a low probability of widespread exploitation, and the issue is not listed in CISA’s KEV catalog, suggesting it has not been actively exploited in the wild. The likely attack vector is remote, achieved via HTTP requests to the WordPress site that invoke the vulnerable theme functionality. Exploitation would require successful path traversal and file deletion, though authentication requirements are not specified in the available description. Given these factors, the overall risk remains high but exploitation effort is likely low to moderate.

Generated by OpenCVE AI on March 26, 2026 at 16:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest update to the Scape theme (v1.5.16 or later).
  • If an update is not immediately possible, disable or remove the Scape theme from the WordPress installation to prevent the path traversal from being triggered.

Generated by OpenCVE AI on March 26, 2026 at 16:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Whitebox-studio
Whitebox-studio scape
Wordpress
Wordpress wordpress
Vendors & Products Whitebox-studio
Whitebox-studio scape
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Whitebox-Studio Scape scape allows Path Traversal.This issue affects Scape: from n/a through < 1.5.16.
Title WordPress Scape theme < 1.5.16 - Arbitrary File Deletion vulnerability
Weaknesses CWE-22
References

Subscriptions

Whitebox-studio Scape
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T14:21:17.718Z

Reserved: 2026-03-10T10:59:45.898Z

Link: CVE-2026-31913

cve-icon Vulnrichment

Updated: 2026-03-26T14:20:52.004Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:58.517

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-31913

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:31:16Z

Weaknesses