Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Saleswonder Team: Tobias WebinarIgnition webinar-ignition allows Path Traversal.This issue affects WebinarIgnition: from n/a through < 4.08.253.
Published: 2026-05-27
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability permits an attacker to delete arbitrary files on the server by exploiting a path traversal flaw in the WebinarIgnition plugin. A path traversal input allows the deletion of any file within the web root, leading to potential loss of configuration data, media, or critical application files. This deletion capability directly endangers the integrity and availability of the website and any services depending on the affected files.

Affected Systems

The Bug affects WebinarsIgnition, a product of the Saleswonder Team: Tobias, for all versions prior to 4.08.253. Any WordPress installation that has a version of the plugin older than 4.08.253 is potentially vulnerable. The vulnerability was identified in the plugin’s file deletion functionality, which does not correctly restrict the file path to a permitted directory.

Risk and Exploitability

The CVSS score of 9.9 indicates critical severity, while the EPSS score is not available, meaning there is no publicly documented exploitation likelihood at this time. The plugin is typically exposed through a public web interface, so a remote attacker could potentially exploit the flaw without authentication. The lack of a KEV listing suggests no current publicly reported active exploitation, but the high severity and lack of safeguards still present a considerable risk. Failing to patch could allow attackers to delete essential files, causing significant service disruption.

Generated by OpenCVE AI on May 27, 2026 at 12:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the webinar-ignition plugin to version 4.08.253 or later to resolve the path traversal issue.
  • If an upgrade cannot be applied immediately, disable or uninstall the WebinarIgnition plugin to block the deletion functionality until a patch is released.
  • After applying the patch, verify that file permissions are correctly configured and consider implementing web‑server‑level restrictions (e.g., via .htaccess) to limit access to the plugin’s delete endpoint.

Generated by OpenCVE AI on May 27, 2026 at 12:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Saleswonder Team: Tobias WebinarIgnition webinar-ignition allows Path Traversal.This issue affects WebinarIgnition: from n/a through < 4.08.253.
Title WordPress WebinarIgnition plugin < 4.08.253 - Arbitrary File Deletion vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-27T10:48:27.794Z

Reserved: 2026-04-29T09:05:35.592Z

Link: CVE-2026-42757

cve-icon Vulnrichment

Updated: 2026-05-27T10:48:22.584Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T11:16:22.217

Modified: 2026-05-27T14:50:47.627

Link: CVE-2026-42757

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T12:15:05Z

Weaknesses